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Accountability  *  Integrity  *  Reliability 


United  States  General  Acconnting  Office 
Washington,  DC  20548 


Febraary  22,  2002 

The  Honorable  Joseph  I.  lieberman 
Chairman,  Committee  on  Governmental  Affairs 
United  States  Senate 

Dear  Mr.  Chairman: 

The  events  of  September  1 1  and  the  subsequent  anthrax  attacks  have 
demonstrated  the  importance  of  accurate,  timely  information  and  the  need 
for  strong  leadership  in  integrating  and  managing  this  information  across 
government  agencies.  As  agencies  have  struggled  with  issues  involving 
intelligence  gathering,  information  sharing  and  dissemination,  security, 
and  information  technology  (IT),  it  has  become  increasingly  apparent  that 
our  government  needs  to  better  assess — from  a  strategic  standpoint — all 
aspects  of  how  it  handles  information. 

In  recognition  of  the  importance  of  government  information,  the  Congress 
in  1980,  as  you  know,  passed  the  Paperwork  Reduction  Act  (PRA)  to 
establish  a  single,  overarching  policy  framework  for  the  management  of 
information  resources.  The  act,  amended  in  1986  and  1995,  established 
information  resources  management  (IRM)  as  an  approach  governing 
virtually  all  aspects  of  government  information  activities,  including 
collection,  dissemination,  security  and  privacy,  and  management  of 
information  technology.  The  act  also  created  the  Office  of  Information  and 
Regulatory  Affairs  (OIRA)  within  the  Office  of  Management  and  Budget 
(0MB),  to  provide  leadership,  policy  direction,  and  oversight  of 
governmentwide  IRM.  It  further 

•  required  OIRA  to  develop  and  maintain  a  governmentwide  strategic  IRM 
plan,  and 

•  charged  OIRA  with  responsibilities  for  general  IRM  policy  and  specific 
IRM  functions:  information  collection,  dissemination,  statistical  policy  and 
coordination,  records  management,  privacy  and  security,  and  information 
technology. 

Since  1998,  OIRA  has  designated  the  Chief  Information  Officers  Council’s 
strategic  plan  as  the  principal  means  of  meeting  the  requirement  for  a 
governmentwide  strategic  IRM  plan.  The  most  recent  plan  is  for  fiscal 
years  2001-2002  and  was  published  jointly  by  0MB  and  the  CIO  Council  in 
October  2000.  According  to  this  plan,  its  goal  is  to  enhance  the  strategic 
focus  of  the  Council,  establish  roadmaps  for  achieving  the  strategic  vision. 
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define  measures  to  assist  the  Council  in  evaluating  its  progress  toward 
meeting  its  challenges,  and  provide  a  basis  for  budget  planning. 

This  report  responds  to  your  request  that  we  review  OIRA’s  actions  to 
fulfill  its  responsibilities  under  PRA.  Specifically,  our  objectives  were  to 
(1)  assess  the  adequacy  of  the  governmentwide  strategic  IRM  plan 
developed  in  response  to  the  act’s  requirements  and  (2)  provide  status 
information  on  OIRA’s  actions  to  address  its  IRM  policymaking,  oversight, 
and  functional  responsibilities  under  the  act.  Our  review  was  conducted  at 
0MB  headquarters  in  Washington,  D.C.,  from  June  through  December 
2001,  in  accordance  with  generally  accepted  government  auditing 
standards.  Appendix  I  contains  details  of  our  scope  and  methodology. 


Results  in  Brief 


While  OIRA  designated  the  Chief  Information  Officers  Council’s  strategic 
plan  for  fiscal  years  2001-2002  as  the  governmentwide  strategic  IRM  plan 
required  by  the  Paperwork  Reduction  Act,  it  does  not  constitute  an 
effective  and  comprehensive  strategic  vision. 

The  plan  establishes  a  vision  and  a  number  of  governmentwide  goals  that 
address  significant  issues  such  as  e-government,  information  security,  and 
development  of  information  technology  skills  and  resources.  Each  goal 
has  a  set  of  associated  objectives  and  strategies.  The  goals,  however,  are 
not  linked  to  expected  improvements  in  agency  and  program  performance. 
The  goals  also  do  not  address  IRM  comprehensively;  for  example, 
statistical  activities,  records  management,  and  the  collection  and  control 
of  paperwork  are  not  addressed. 

In  discussing  our  evaluation,  OIRA  asserted  that  while  the  Chief 
Information  Officers  Coimcil’s  plan  is  the  primary  vehicle  for  complying 
with  the  planning  requirements  in  PRA,  other  documents  supplement  the 
plan.  These  other  documents  include  the  President’s  Management  Agenda 
issued  in  August  2001,  budget  documents  for  fiscal  year  2002,  and 
summaries  of  agency  reports  on  paperwork  elimination  (October  2001) 
and  computer  security  (February  2002).  Of  the  documents  cited,  only  the 
president’s  management  agenda  is  strategic  in  providing  a 
governmentwide  goal  and  associated  strategies  for  expanding  e- 
government.  The  remaining  documents  deal  with  various  aspects  of  the 
government’s  use  of  IRM  but  do  not  contain  governmentwide  goals, 
strategies,  or  performance  measures,  and  thus  do  not  address  the 
weaknesses  we  identified.  Further,  this  multitude  of  documents,  issued  at 
different  points  in  time,  has  not  historically  been  integrated  or  linked 
together  to  clearly  communicate  to  internal  and  external  stakeholders  a 
unified  strategic  vision  and  accountability  measures  for  government  IRM. 
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•  These  shortcomings  call  into  question  the  degree  of  management  attention 
that  OIRA  has  traditionally  devoted  to  producing  the  governmentwide 
strategic  IRM  plan.  Without  an  effective  unifying  plan,  federal  agencies  are 
left  to  address  information  needs  in  isolation,  without  a  comprehensive 
vision  to  unify  their  efforts.  Further,  the  risk  is  increased  that  current  and 
emerging  IRM  challenges  will  not  be  met.  We  are  making 
recommendations  to  the  OIRA  administrator  on  developing  an  effective 
and  comprehensive  plan. 

Regarding  the  status  of  actions  to  respond  to  other  key  requirements  in 
PRA,  OIRA  has  issued  policy  and  implementing  guidance,  conducted 
oversight  activities,  and  taken  a  variety  of  actions  regarding  each  of  the 
functional  areas.  Based  on  our  work  over  the  last  decade,  however,  OIRA 
still  faces  challenges  including  improving  the  collection,  use,  and 
dissemination  of  government  information,  assuring  the  protection  of 
critical  private  and  public  information  systems,  and  strengthening 
information  technology  management  processes.  We  have  made  numerous 
recommendations  in  previous  reports  to  address  these  challenges,  many  of 
which  have  not  yet  been  implemented. 

In  commenting  on  a  draft  of  this  report,  the  director,  0MB,  expressed 
concern  that  it  (1)  narrowly  focuses  on  the  finding  that  a  governmentwide 
strategic  plan  must  be  a  single  document  and  reiterated  OMB’s  position 
that  the  documents  cited  during  our  review  meet  the  requirements  for  a 
governmentwide  strategic  IRM  plan,  and  (2)  does  not  incorporate  the 
importance  of  the  associate  director  for  IT  and  e-government  in  providing 
direction  to  agencies  on  many  PRA-related  areas.  We  disagree  that  our 
report  narrowly  focuses  on  the  strategic  plan’s  being  a  single  document. 
Our  principal  finding  was  that  the  documents  cited  by  0MB  during  our 
review  did  not,  separately  or  collectively,  meet  the  requirements  for  a 
governmentwide  strategic  IRM  plan  established  by  PRA. 

Further,  while  we  believe  there  is  value  in  producing  a  single  plan  to 
clearly  communicate  the  administration’s  vision  for  IRM,  we  do  not 
believe  that  0MB  must  necessarily  produce  an  entirely  new  document  to 
accomplish  this.  0MB  has  options  for  building  on  past  efforts — including 
the  CIO  Council  strategic  plan,  the  president’s  management  agenda,  and 
the  president’s  budget  for  2003 — to  craft  a  plan  that  contains  a 
comprehensive  strategic  statement  of  goals  and  resources. 

Regarding  the  president’s  budget  for  2003,  released  on  February  4,  2002, 
after  we  sent  a  draft  of  this  report  to  0MB  for  comment,  it  contains  many 
of  the  elements  required  in  a  strategic  plan  that  were  not  present  in 
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previous  documents  cited  by  0MB  and  appears  to  address,  in  part,  the 
recommendations  in  this  report.  As  a  result,  we  believe  this  document, 
when  viewed  in  conjunction  with  the  president’s  management  agenda, 
represents  credible  progress  toward  developing  a  governmentwide  plan. 
We  intend  to  follow  up  on  this  and  other  documents  0MB  has  indicated 
are  forthcoming  to  determine  the  extent  to  which  our  recommendations 
have  been  implemented. 

In  regard  to  the  associate  director,  we  acknowledge  the  role  that  0MB  has 
given  him  to  provide  strategic  direction  to  agencies  and  have  modified  our 
recommendations  to  recognize  the  importance  of  the  administrator’s 
working  in  conjunction  with  this  official  in  articulating  a  comprehensive 
IRM  vision  and  in  developing  a  governmentwide  plan  that  meets  PRA 
requirements. 


Background 


The  need  for  strong  leadership  and  a  governmentwide  strategic  view  of 
information  management  has  long  been  recognized  as  critical.  Along  with 
establishing  a  single  policy  framework  for  federal  management  of 
information  resources  and  formalizing  the  institutionalization  of  IRM  as 
the  approach  governing  information  activities,  the  Paperwork  Reduction 
Act  (PRA)  in  1980  created  OIRA  to  develop  IRM  policy  and  oversee  its 
implementation,  at  the  same  time  giving  it  oversight  responsibilities  in 
specific  IRM  functional  areas.  The  OIRA  adnunistrator  is  also  to  serve  as 
the  principal  adviser  to  the  director  of  0MB  on  IRM  policy.  The  Clinger- 
Cohen  Act  of  1996  amended  PRA  to  also  give  OIRA,  through  the  director, 
significant  leadership  responsibilities  in  supporting  agencies’  actions  to 
improve  their  IT  management  practices. 

In  addition  to  these  statutory  responsibilities,  OIRA  is  responsible  for 
providing  overall  leadership  of  executive  branch  regulatory  activities. 
OIRA  also  reviews  significant  new  regulations  issued  by  executive 
departments  and  agencies  (other  than  independent  regulatory  agencies) 
before  they  are  published  in  the  Federal  Register.  In  calendar  year  2000, 
OIRA  staff  reviewed  approximately  2,900  proposed  and  4,600  final  rules. 

OIRA  is  organized  into  five  branches:  Information  Policy  and  Technology 
Management,  Statistical  Policy,  Commerce  and  Lands,  Human  Resources 
and  Housing,  and  Natural  Resources.  Information  Policy  and  Technology 
is  responsible  for  information  dissemination,  records  management, 
privacy  and  security,  and  IT.  Statistical  Policy,  headed  by  the  chief 
statistician,  is  responsible  for  the  statistical  policy  and  coordination 


Page  4 


GAO-02-292  OMB's  Governmentwide  Strategic  IRM  Plan 


requirements  contained  in  the  act.  Desk  officers  in  Commerce  and  Lands, 
Human  Resources  and  Housing,  and  Natural  Resources  are  responsible  for 
information  collection  and  regulatory  review  and  related  issues  for 
specific  agencies  in  a  matrixed  fashion,  in  consultation  with  relevant  OIRA 
branches  as  well  as  the  budget  side  of  0MB.  As  of  December  31,  2001, 
OIRA  had  a  total  of  51  full-time  equivalent  (FTE)  staff  assigned  to  the  five 
branches:  Information  Pohcy  and  Technology  Management  (12  FTEs), 
Statistical  Pohcy  (6),  Commerce  and  Lands  (8),  Human  Resources  and 
Housing  (9),  and  Natural  Resources  (9).  The  OIRA  Records  Management 
Center  accounted  for  one  additional  position;  the  Office  of  the  OIRA 
Administrator  accounted  for  the  remaining  six  positions.  OIRA  has  been 
allotted  and  is  in  the  process  of  filling  5  additional  slots. 

Two  other  entities  perform  PRA-related  activities.  First,  the  Chief 
Information  Officers  (CIO)  Council  was  established  by  executive  order'  in 
July  1996  as  the  principal  interagency  forum  for  improving  agency  IRM 
practices.  For  example,  the  Council  is  to  make  recommendations  for 
overall  IT  management  policy,  procedures,  and  standards,  and  to  provide 
advice  to  0MB  on  the  development  of  the  governmentwide  strategic  IRM 
plan  required  by  PRA.  The  Council  is  composed  of  the  CIOs  and  deputy 
CIOs  from  28  federal  agencies,  plus  senior  officials  from  0MB.  Second, 
last  June  0MB  established  the  position  of  associate  director  for 
information  technology  and  e-government.  This  individual  is  responsible 
for  (1)  working  to  further  the  administration’s  goal  of  using  the  Internet  to 
create  a  citizen-centric  government;  (2)  ensuring  that  the  federal 
government  takes  maximum  advantage  of  technology  and  best  practices  to 
improve  quality,  effectiveness,  and  efficiency;  and  (3)  leading  the 
development  and  implementation  of  federal  IT  policy.  In  addition,  the 
associate  director  is  responsible  for  (1)  overseeing  implementation  of  IT 
throughout  the  federal  government,  (2)  working  with  the  deputy  director 
for  management — also  described  by  0MB  as  the  federal  CIO — to  perform 
a  variety  of  oversight  functions  statutorily  assigned  to  0MB,  and  (3) 
directing  the  activities  of  the  CIO  Council. 

We  have  previously  reported  on  OIRA’s  efforts  to  respond  to  the  PRA 
requirements  for  a  governmentwide  strategic  plan."  In  1998,  we  reported 
that  none  of  the  various  reports  OIRA  had  designated  since  1995  as  being 


'  Executive  Order  1301 1,  Federal  Information  Technology,  July  16,  1996. 

"  Regulatory  Management:  Implementation  of  Selected  0MB  Responsibilities  Under  the 
Paperwork  Reduction  Act  (GAO/GGD-98-120,  July  9, 1998). 
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the  strategic  IRM  plan  clearly  discussed  the  objectives  and  means  by 
which  the  federal  government  would  use  all  types  of  information 
resources  to  improve  agency  and  program  performance — a  key  PRA 
requirement. 


A  Broad,  Governmentwide  Recent  events  have  highlighted  information  as  not  only  an  asset  but  a 
Perspective:  More  critical  tool,  essential  to  achieving  the  fundamental  purposes  of 

Imperative  Than  Ever  government.  In  the  aftermath  of  the  attacks  of  the  past  few  months, 

agencies  have  clearly  struggled  with  issues  concerning  intelligence 
gathering,  information  sharing  and  dissemination,  security,  and  critical 
information  technology  infrastructure.  For  example: 

•  Our  September  2001  combating  terrorism  report*  highlighted  that  the 
growing  threat  of  terrorism  presented  evolving  challenges  to  the  existing 
framework  for  leadership  and  coordination.  We  reported  that  the 
interagency  and  intergovernmental  nature  of  programs  to  combat 
terrorism  make  it  important  that  certain  overall  leadership  and 
coordination  fimctions  be  performed  above  the  level  of  individual 
agencies.  Accordingly,  we  recommended  that  the  President  appoint  a 
single  focal  point  with  responsibility  for  overall  leadership  and 
coordination,  including  the  development  of  a  national  strategy.  The 
president  subsequently  appointed  fonner  governor  Tom  Ridge  as  the  new 
director  of  homeland  security,  responsible  for  coordinating  federal,  state, 
and  local  actions  and  for  leading  and  overseeing  such  a  comprehensive 
approach  to  safeguarding  the  nation  against  terrorism.  The  successful 
formulation  of  such  a  comprehensive  strategy  will  require  development  of 
one  overall  plan  for  the  collection  and  analysis  of  information  relating  to 
terrorist  activities  or  threats  across  the  United  States,  and  the  securing  of 
IT  systems  to  facilitate  the  sharing  of  this  information  among  the  many 
entities  involved. 

•  That  same  report  also  addressed  the  need  to  protect  critical  federal 
systems  from  computer-based  attacks.  As  we  reported,  while  an  array  of 
activities  had  been  imdertaken  to  implement  a  national  strategy  to  mitigate 
risks  to  computer  systems  and  the  critical  operations  and  infrastructures 
they  support,  progress  in  certain  key  areas  had  been  slow.  Specifically, 


^  Combating  Terrorism:  Selected  Challenges  and  Related  Recommendations  (GAO-01-822, 
September  20, 2001).  See  also  Homeland  Security:  A  Fra, mervork  for  Addressing  the 
Nation’s  Efforts  (GAO01-1158T,  September  21,  2001)  and  Combating  Terrorism: 
Comments  on  Counterterrorism  Leadership  a,nd  Na  tional  Stra  tegy  (GAO-01-556T, 

March  27,  2001). 
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agencies  had  taken  steps  to  develop  critical  infrastructure  protection 
plans,  but  independent  audits  continue  to  identify  persistent,  significant 
information  security  weaknesses  that  place  federal  operations  at  risk. 
Further,  while  outreach  efforts  by  numerous  federal  entities  to  establish 
cooperative  relationships  with  and  among  private  and  other  nonfederal 
organizations  had  raised  awareness  and  prompted  information  sharing, 
substantive  analysis  of  sector-wide  and  cross-sector  interdependencies 
and  vulnerabilities  had  been  limited.  We  recommended  that  the  federal 
government’s  critical  infrastructure  protection  strategy,  which  was  under 
review  at  the  time  of  our  report,  define  (1)  specific  roles  and 
responsibilities,  (2)  objectives,  milestones,  and  an  action  plan,  and  (3) 
performance  measures. 

•  The  recent  attacks  have  also  highlighted  the  need  for  immigration,  law 
enforcement,  intelligence,  and  defense  and  foreign  policy  agencies  to 
better  share  information  on  domestic  and  international  terrorists  and 
criminals.  Concerns  have  been  raised  that  the  various  databases  and 
information  systems  containing  this  information  may  not  be  sufficiently 
linked  to  ensure  that  all  levels  of  government  have  complete  and  accurate 
information. 

•  Recent  events  have  also  reemphasized  the  importance  of  ongoing  efforts 
to  improve  the  public  health  infrastructure  that  detects  disease  outbreaks, 
identifies  sources  and  modes  of  transmission,  and  performs  laboratory 
identification.  According  to  the  Centers  for  Disease  Control  and 
Prevention  (CDC),  the  ability  to  share  information  on  potential  threats  and 
remedial  actions,  and  exchange  data  on  newly  identified  disease 
outbreaks,  is  critical  to  our  defense  against  bioterrorism.  However,  we, 
CDC,  and  others  have  identified  deficiencies  in  the  information  systems 
and  telecommunications  capabilities  at  the  local,  state,  and  national  levels 
that  hinder  effective  bioterrorism  identification  and  response.  For 
example,  in  March  2001,  CDC  recommended  that  all  health  departments 
have  continuous,  high-speed  access  to  the  Internet  and  standards  for  data 
collection,  transport,  electronic  reporting,  and  information  exchange  that 
protect  privacy  and  seamlessly  connect  local,  state,  and  federal  data 
systems.  In  recent  testimony,  CDC  emphasized  that  since  September  11  it 
has  accelerated  its  efforts  to  work  with  state  and  local  health  agencies, 
share  critical  lessons  learned,  and  identify  priority  areas  for  immediate 
strengthening.^ 


^  Prepared  statement  by  Edward  L.  Baker,  M.D.,  M.P.H.;  Director,  Public  Health  Practice 
Program,  Office  Centers  for  Disease  Control  and  Prevention,  Department  of  Health  and 
Human  Services,  before  the  Subcommittee  on  Technology  and  Procurement  Policy,  Senate 
Committee  on  Government  Reform,  December  14,  2001. 
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Beyond  the  recent  terrorist  acts,  emerging  trends  also  make  clear  the 
importance  of  information  resources  to  government,  and  the  need  for  a 
strategic  approach.  One  such  trend  is  the  continuing  shift  from  an 
industrial  to  a  knowledge-based'^  and  global  economy®  in  which  knowledge 
becomes  the  main  driver  of  value  and  creation  of  wealth.  One 
characteristic  of  a  knowledge-based  economy  is  a  higher  set  of  public 
expectations  about  government  performance  and  accountability.  In 
addition,  the  knowledge-based  economy  presents  complex  issues  that 
require  input  from  multiple  institutions  at  different  levels  of  government 
and  within  the  private  and  nonprofit  sectors.  To  address  these  challenges, 
government  needs  processes  and  structures  that  embrace  long-term, 
cross-issue,  strategic  thinking.  Understanding  and  developing  these  new 
processes  will  require  active  use  and  exchange  of  knowledge  and 
information  that  are  relevant,  timely,  accurate,  valid,  reliable,  and 
accessible. 

The  administration  has  also  recognized  the  need  to  improve  government 
performance  and,  as  a  result,  has  established  an  ambitious  agenda  that  is 
dependent  on  effective  management  of  information  resources.  One  of  the 
governmentwide  goals  in  The  President’s  Management  Agenda  for  Fiscal 
Year  2002  is  to  expand  e-government  to  provide  high-quality  service  to 
citizens  at  reduced  cost,  make  government  services  more  accessible,  and 
increase  government  transparency  and  accountability.  To  accomplish  this, 
the  administration  plans  to  support  projects  that  offer  performance  gains 
across  agency  boundaries,  such  as  the  development  of  a  Web-based  portal 
that  will  allow  citizens  to  apply  for  federal  grants  on-line.  Making  this 
strategy  successful  will  require  the  government  to  address  such  challenges 
as  implementing  appropriate  security  controls,  protecting  personal 
privacy,  and  maintaining  electronic  records. 


®  A  knowledge-based  economy  is  one  characterized  by  the  production  of  information  and 
services  in  which  intellectual  assets  are  the  central  resource. 

®  See  Managing  in  the  New  Millennium:  Shaping  a,  More  Efficient  and  Effective 
Government  for  the  21st  Century  (GAO/T-OCG-00-9,  March  29,  2000). 
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A  Coordinated 
Federal  IRM  Plan  Is 
Essential  to  Achieving 
Results;  OIRAs  Plan 
Falls  Short 


Given  the  changing  environment  in  which  the  need  for  a  performance- 
based  federal  approach  to  managing  the  government’s  information 
resources  is  of  paramount  importance,  strategic  planning  provides  an 
essential  foundation.  It  defines  what  an  organization  seeks  to  accomplish, 
identifies  the  strategies  it  will  use  to  achieve  desired  results,  and  then 
determines — ^through  measurement — how  well  it  is  succeeding  in  reaching 
results-oriented  goals  and  achieving  objectives.  An  important  element  of  a 
strategic  plan  is  that  it  presents  an  integrated  system  of  high-level 
decisions  that  are  reached  through  a  formal,  visible  process.  The  plan  is 
thus  an  effective  tool  with  which  to  communicate  the  mission  and 
direction  to  stakeholders. 


However,  the  CIO  Council  plan  that  was  prepared  to  respond  to  the 
requirements  of  the  PRA  is  not  an  effective  and  comprehensive 
governmentwide  plan.  Specifically,  the  plan’s  governmentwide  goals  (1) 
are  not  linked  to  expected  improvements  in  agency  and  program 
performance  and  (2)  do  not  comprehensively  address  IRM.  In  addition, 
strategies  for  reaching  the  goals  are  incomplete.  Additional  documents 
that  OIRA  cited  as  supplementing  the  CIO  plan  do  not  address  the 
weaknesses  we  identified.  As  a  result,  agencies  are  left  to  address 
information  needs  in  isolation  without  a  comprehensive  vision  to  unify 
their  efforts.  Further,  the  risk  is  increased  that  current  and  emerging  IRM 
challenges  will  not  be  met. 


Over  the  past  20  years,  the  Congress  has  put  in  place  a  statutory 
framework  to  improve  the  performance  and  accountability  of  executive 
agencies  and  to  enhance  executive  branch  and  congressional 
decisionmaking.  Results-oriented  management  legislation,  coupled  with 
legislation  reforming  IT,  has  enabled  substantial  progress  in  establishing 
the  basic  infrastructure  needed  to  create  high-performing  federal 
organizations. 

PRA  requires  OIRA  to  develop  and  maintain  a  govemmentwide  strategic 
IRM  plan  to  describe  how  the  federal  government  will  apply  information 
resources  to  improve  agency  and  program  performance.  Specifically,  this 
strategic  plan  was  intended  to  provide  a  comprehensive  vision  for  the 
future  of  IRM  in  government,  and  would  establish  governmentwide  goals 
for  using  information  resources  to  improve  agency  and  program 
performance,  and  describe  the  strategies,  including  resources  needed,  to 
accomplish  these  goals. 


A  Strategic 

Governmentwide  IRM  Plan 
Is  Required 
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PRA  further  stipulates  that  the  strategic  IRM  plan  must  include  (1)  plans 
for  enhancing  public  access  to  and  dissemination  of  information  using 
electronic  and  other  formats;  (2)  plans  for  meeting  the  information 
technology  needs  of  the  government;  (3)  plans  for  reducing  information 
burdens  and  meeting  shared  data  needs  with  shared  resources;  and  (4)  a 
description  of  progress  in  applying  IRM  to  improving  agency  mission 
performance.  The  plan  is  also  to  be  developed  in  consultation  with  the 
archivist  of  the  United  States,  the  administrator  of  general  services,  the 
director  of  the  National  Institute  of  Standards  and  Technology,  and  the 
director  of  the  Office  of  Personnel  Management. 


The  CIO  Council’s 
Strategic  Plan  Has  Been 
Designated  the 
Governmentwide  Plan 


Since  1998,  OlRA’s  response  to  the  PRA  mandate  for  a  strategic  plan  has 
been  to  jointly  publish  a  strategic  plan  with  the  CIO  Council.  The  most 
recent  plan,  the  CIO  Council  Strategic  Plan  for  Fiscal  Years  2001-2002, 
was  issued  in  October  2000.  The  development  of  this  plan  was  the  result  of 
extensive  discussion,  both  internally  with  agency  CIOs  and  with  some 
external  stakeholders,  such  as  state  and  IT  industry  CIOs. 

The  CIO  Council  plan  articulates  a  vision  that  was  used  to  guide  the  plan’s 
goals  and  objectives:  Better  government  through  better  use  of 
information,  people,  processes,  and  technology.  The  plan  reflects  the 
Council’s  view  of  critical,  cross-cutting  IT  issues  that  are  affecting  the 
federal  government’s  ability  to  serve  its  citizens.  It  also  provides 
background  and  rationale  for  the  issues,  and  a  brief  description  of  the 
Council’s  past  accomplishments  in  each  area.  For  fiscal  years  2001-2002, 
the  Council  identified  six  themes  that  frame  the  specific  goals  that 
accompany  them.  These  goals  are  as  follows: 

Connect  all  citizens  to  the  products,  services,  and  information  of  their 
government. 

Develop  interoperable  and  innovative  govemmentwide  IT  initiatives. 
Implement  a  secure  and  reliable  information  infrastructure  that  the 
customer  can  access  and  trust. 

Develop  IT  skills  and  resources  to  meet  mission  objectives. 

Collaborate  between  the  public  and  private  sectors  to  achieve  better 
government. 

Develop  investment  management  policies,  practices,  and  tools  that  enable 
improved  delivery  of  government  programs  and  services. 

Each  goal  has  a  set  of  associated  objectives  or  major  actions  needed.  A 
total  of  88  detailed  initiatives  are  provided,  representing  specific,  concrete 
actions  that  the  Council  can  take  to  implement  its  objectives. 
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The  CIO  Council  Strategic 
Plan  Does  Not  Meet  Most 
PRA  Requirements 


While  a  robust  document  for  the  Council,  this  plan  does  not  constitute  an 
effective  govemmentwide  strategic  IRM  plan  under  PRA.  First,  although 
the  plan  establishes  a  number  of  goals  that  are  clearly  governmentwide  in 
nature,  these  goals  are  not  linked  to  expected  improvements  in  agency  and 
program  performance.  For  example,  the  plan  contains  a  governmentwide 
goal  of  interoperable  and  innovative  IT  initiatives;  however,  the  plan  does 
not  discuss  how  these  initiatives  will  improve  agency  performance  or 
establish  targets  for  improvement.  Further,  the  plan’s  goals  do  not  address 
IRM  comprehensively;  for  example,  statistical  activities,  records 
management,  and  the  collection  and  control  of  paperwork  are  not 
addressed. 


Second,  while  the  plan  contains  strategies  for  reaching  the  goals,  these 
strategies  are  incomplete.  Specifically,  the  plan  does  not  address,  even  at  a 
high  level,  OIRA’s  policymaking  and  oversight  role  in  helping  to  attain 
those  goals.  Further,  the  plan  does  not  discuss  the  resources  needed 
govemmentwide — by  OIRA,  the  CIO  Council,  and  federal  agencies — to 
achieve  its  goals. 

Finally,  the  plan  addresses  some  but  not  all  of  the  remaining  items 
highlighted  in  PRA.  Specifically: 

•  The  plan  does  address  enhancing  public  access  to  and  dissemination  of 
information.  The  first  goal — connecting  all  citizens  to  the  products, 
services,  and  information  of  their  government — is  focused  on  making 
government  information  accessible  and  facilitating  transactions  with 
citizens.  Strategies  to  accomplish  this  goal  included  developing  the 
FirstGov.gov  portal  for  government  services.^ 

•  The  plan  includes  a  discussion  of  meeting  the  IT  needs  of  the  government. 
Specifically,  goal  six  focuses  on  IT  investment  management  practices  and 
tools  to  improve  delivery  of  government  services  and  programs.  Strategies 
include  improving  the  quality  of  data  used  to  support  investment 
decisionmaking,  information  technology  acquisition  strategies,  and  IT 
performance  measmement. 

•  It  does  not  address  reducing  the  information  burden  to  the  public.  While  it 
includes  goals  and  strategies  that  may  ultimately  result  in  burden 
reduction — such  as  creating  mteroperable  and  innovative  govemmentwide 
initiatives — ^they  are  not  linked  to  burden  reduction.  The  plan  also  does 


’’  FirstGov.gov  is  a  Web  site  that  is  intended  to  serve  as  a  portal  to  all  of  the  federal 
government’s  publicly  available,  on-line  information  services. 
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not  include  a  discussion  of  meeting  shared  data  needs  with  shared 
resources,  as  required  by  the  act. 

•  Notably  lacking  in  the  plan  is  any  description  of  progress  already  made  in 
applying  IRM  principles  to  improving  agency  performance  and  mission 
accomplishment.  Further,  the  plan’s  performance  measures  are  not  geared 
toward  providing  the  required  information  on  progress.  These  measures 
are  solely  focused  on  gauging  Council  progress  in  meeting  the  goals, 
rather  than  on  progress  in  improving  agency  and  program  performance. 

In  regard  to  the  consultations  required  by  PRA,  representatives  of  key 
agencies  currently  sit  on  the  Council  and,  thus,  participated  in  the 
development  of  the  plan,  according  to  OIRA  and  CIO  Council  officials. 
0MB  officials  also  indicated  that  by  conducting  meetings  with  these 
agencies,  and  through  other  guidance  and  review  activities,  the  strategic 
viewpoint  of  these  senior  officials  was  captured. 

In  discussing  our  views  of  the  CIO  Council  plan,  0MB  officials  responded 
that  while  the  CIO  Council  plan  is  OIRA’s  primary  means  of  complying 
with  the  strategic  planning  requirements  under  PRA,  0MB  produces  a 
range  of  other  documents  that  also  contain  elements  of  the 
governmentwide  plan.  It  is  this  collection  of  documents,  as  a  whole,  that 
constitutes  the  govemmentwide  strategic  IRM  plan  under  PRA.  According 
to  0MB  officials,  these  additional  documents  are  as  follows: 

•  Government  Information  Security  Reform  Act.  Under  this  act, 
agencies  are  required  to  report  to  0MB  annually  on  independent 
evaluations  of  their  information  security  programs.  0MB  is  then  required 
to  summarize  these  reports;  0MB  officials  said  that  this  summary  provides 
strategic  direction  for  the  security  area.  Agencies  reported  to  0MB  in 
September  2001;  0MB  issued  the  governmentwide  summary  on  February 
13,  2002. 

•  Budget  Information.  0MB  officials  cited  two  budget  documents  that 
provide  govemmentwide  strategic  direction.  According  to  these  officials. 
Table  22-1  in  the  budget  sets  strategic  direction  for  IT  and  e-government 
and  discusses  agency  perfomiance.  In  addition,  these  officials  stated  that 
the  exhibit  53s,  submitted  by  agencies  as  part  of  the  budget  process, 
provide  specific  performance  information  on  planned  spending  for  major 
and  significant  information  systems.  In  addition,  the  chief  statistician  cited 
the  annual  0MB  report.  Statistical  Programs  of  the  United  States 
Government,  which  describes  proposed  funding  and  priority  activities  for 
federal  statistics. 

•  Plans  Under  the  Government  Paperwork  Elimination  Act.  Under  this 
act,  agencies  are  required  to  report  to  0MB  on  their  plans  for  providing 
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the  public  with  the  option  of  submitting,  maintaining,  and  disclosing 
required  information  electronically,  instead  of  on  paper.  OIRA  has 
summarized  these  plans  in  a  database  which,  according  to  OIRA,  provides 
part  of  the  strategic  direction  for  IRM.  In  September  2001,®  we  reported  on 
the  status  of  agency  implementation  of  the  act.  We  found  that  although 
agency  implementation  plans  submitted  in  October  2000  included  much 
potentially  useful  information,  many  omissions  and  inconsistencies  were 
evident.  In  addition,  we  noted  that  the  plans  did  not  provide  sufficient 
information  regarding  agencies’  strategic  actions  that  could  minimize  the 
risk  of  not  meeting  the  deadline  for  providing  electronic  options.  We 
concluded  that  given  these  shortcomings,  0MB  would  be  challenged  in  its 
oversight  role  of  ensuring  that  agencies  comply  with  the  act.  In 
commenting  on  this  report,  0MB  officials  noted  that  in  October  2001,  they 
collected  additional  information  from  agencies  to  address  these  issues;  we 
did  not  review  this  additional  information. 

•  The  Information  Collection  Budget.  Each  year,  OIRA  publishes  an 
Information  Collection  Budget  by  gathering  data  from  executive  branch 
agencies  on  the  total  number  of  burden  hours®  OIRA  approved  for 
collection  of  information  at  the  end  of  the  fiscal  year,  and  agency 
estimates  of  the  burden  for  the  coming  fiscal  year.  This  document  includes 
a  governmentwide  goal  for  burden  reduction  and  reports  the  reasons  for 
any  increasing  burden.  It  also  highlights  agency  efforts  to  streamline  and 
reduce  information  collections  from  the  public  for  the  upcoming  fiscal 
year. 

•  The  National  Archives  and  Records  Administration  (NARA) 
Strategic  Pian.  0MB  officials  stated  that  this  plan  provides  a  strategy  for 
how  NARA  plans  to  fulfill  its  mission  and  that  agency  records  managers 
regard  this  plan  as  providing  strategic  direction  for  their  own  activities. 

•  The  President’s  Management  Agenda.  Again,  according  to  0MB 
officials,  the  e-govemment  goal  contained  in  the  president’s  management 
agenda  provides  a  strategic  vision  for  expanding  the  use  of  e-government. 
According  to  0MB  officials,  this  will  soon  be  supplemented  by  a  report 
specifically  on  the  e-govemment  initiative,  which  will  further  address 
strategic  direction  for  e-government. 


^Electronic  Government:  Better  Information  Needed  on  Agencies’  Implementation  of  the 
Government  Paperwork  Elimination  Act  (GAO-01-1100,  September  28,  2001). 

®  “Burden  hours”  are  the  principal  units  of  measure  of  paperwork  burden.  Burden  hours  are 
generally  calculated  as  a  function  of  estimates  of  (1)  the  amount  of  time  it  will  take  an 
individual  to  collect  and  provide  information  and  (2)  the  number  of  individuals  an 
information  collection  affects. 
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These  docximents — whether  viewed  individually  or  in  total — do  not 
address  the  weaknesses  we  have  identified.  Of  these  documents,  one 
report  stands  out  as  governmentwide  and  strategic — the  president’s 
management  agenda,  which  articulates  the  goal  of  expanding  e- 
government  as  well  as  strategies  for  accomplishing  that  goal.  Although  this 
agenda  adds  additional  perspective  on  the  administration’s  strategic 
direction  for  certain  aspects  of  IRM,  it  is  not  broad  enough  to  compensate 
for  the  weaknesses  in  the  CIO  Council  plan.  In  addition,  the  current  NARA 
strategic  plan  for  fiscal  years  1997-2007  includes  no  governmentwide 
goals  and  strategies  for  records  management.  Rather,  NARA’s  articulated 
goals  and  strategies  focus  on  the  mission  of  the  agency:  providing  ready 
access  to  information  that  documents  citizens’  rights,  officials’  actions, 
and  the  national  experience.  The  remaining  documents  deal  with  various 
aspects  of  the  government’s  use  of  information  resources,  but  are  not 
strategic  or  focused  on  the  future,  and  do  not  provide  goals,  strategies,  and 
performance  measures. 

Further,  the  multitude  of  documents — issued  at  different  points  in  time — 
that  OIRA  indicated  comprise  the  governmentwide  plan  are  neither 
integrated  nor  formalized  in  any  way.  Nor  is  there  any  published  tool  to 
identify  and  locate  these  documents,  should  agencies,  the  Congress,  or 
other  stakeholders  want  to  view  the  plan  in  its  totality.  As  a  result,  these 
documents  do  not  clearly  communicate  the  strategic  IRM  vision  of  the 
government. 

The  shortcomings  we  have  identified  in  the  current  plan  indicate  that 
OIRA  has  not  devoted  sufficient  attention  to  producing  an  effective 
governmentwide  strategic  IRM  plan.  As  a  result,  agencies  are  left  to 
address  information  needs  in  isolation  without  a  comprehensive  vision  to 
unify  their  efforts.  Further,  the  risk  is  increased  that  investments  in  IT  will 
not  be  leveraged  across  the  government;  that  duplicative  initiatives  will  be 
undertaken;  that  opportrmities  for  data  sharing  and  public  access  will  be 
missed;  that  privacy  will  be  compromised;  and  that  the  security  of 
information,  information  systems,  and  critical  infrastructure  will  be 
jeopardized.  Without  OIRA  leadership,  top-level  management 
commitment,  and  the  application  of  appropriate  resources  to  ensure  the 
development  of  a  comprehensive  and  meaningful  plan,  the  mounting 
challenges  that  the  government  faces  in  managing  information  may  not  be 
met. 
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OIRA  Has  Responded 
to  PRA  Policy, 
Oversight,  and 
Functional 
Responsibilities 


While  the  CIO  Council’s  strategic  plan  does  not  effectively  serve  as  the 
governmentwide  vehicle  envisioned  under  PRA,  OIRA  is  responding  to 
other  PRA  policymaking,  oversight,  and  functional  requirements.  OIRA 
officials  see  themselves  as  having  provided  leadership  in  IRM,  and  point  to 
the  successful  resolution  of  the  Year  2000  problem  as  among  OMB’s 
greatest  accomplishments  over  the  last  5  years.  They  also  cite  the 
establishment  of  FirstGov.gov  as  a  major  accomplishment.  We  agree  that 
these  are  significant.  In  fact,  our  work  on  the  Year  2000  issue  specifically 
acknowledged  the  important  role  that  0MB  played  in  leading, 
coordinating,  and  monitoring  federal  activity.  “  And  in  2000  we  testified 
that  FirstGov.gov  represented  an  important,  previously  unavailable 
capability  that  was  rapidly  and  successfully  put  into  place.” 


Regarding  the  development  of  general  IRM  policy,  OIRA  officials  said  that 
they  see  policymaking  as  a  primary  responsibility.  OIRA  most  recently 
updated  Circular  A-130,  Management  of  Federal  Information  Resources  in 
November  2000  to  incorporate  changes  resulting  from  the  Clinger-Cohen 
Act  of  1996  and  subsequent  policies  outlined  in  0MB  Circular  A-11.  This 
version  of  Circular  A-130  specifically  incorporates  the  requirements  that 
agencies  focus  IRM  planning  to  support  their  strategic  missions, 
implement  a  capital  planning  and  investment  control  process  that  links  to 
budget  formulation  and  execution,  and  rethink  and  restructure  their 
business  processes  before  investing  in  information  technology. 


In  terms  of  oversight,  according  to  OIRA  officials,  they  leverage  existing 
statutory  processes,  including  reviews  of  the  budget,  proposed  agency 
information  collections,  regulations,  legislation,  and  systems  of  records^^ 
under  the  Privacy  Act  to  oversee  agency  IRM  activities.  Additionally,  they 
noted  that  they  work  with  agency  CIOs  through  the  budget  process. 
Government  Performance  and  Results  Act  reporting,  and  information- 
collection  reviews  to  further  policy  oversight.  OIRA  officials  also 
emphasized  their  work  with  the  CIO  Council  and  other  interagency  groups 
as  a  means  of  overseeing  agency  activities.  They  stressed  that  0MB  is  not 


Year  2000  Computing  Challenge:  Lessons  Learned  Can  Be  Applied  to  Other 
Management  Challenges  (GAO/AIMD-00-290,  September  12,  2000). 

”  Electronic  Government:  Opportunities  and  Challenges  Facing  the  FirstGov  Web 
Gateway  (GAO-01-87T,  October  2,  2000). 

Under  the  Privacy  Act  of  1974,  any  group  of  records  under  the  control  of  an  agency  from 
which  information  is  retrieved  by  the  name  of  the  individual  or  by  some  identifying 
number,  symbol,  or  other  identifying  particular  assigned  to  the  individual. 
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an  audit  organization,  and  that  A- 130  requires  agencies  to  monitor  their 
own  compliance  with  IRM  policies,  procedures,  and  guidance. 

OIRA  has  also  taken  action  to  respond  to  the  specific  IRM  functional 
responsibilities  in  PRA:  information  collection,  dissemination,  statistical 
policy  and  coordination,  records  management,  privacy  and  security,  and 
IT.  Since  1995,  0MB  has  issued  guidance  in  each  of  these  areas  including 
on  such  topics  as  Internet  privacy,  dissemination,  and  information 
technology.  In  addition,  it  has  responded  to  specific  requirements  by 
reviewing  and  approving  proposed  agency  information  collections, 
appointing  a  chief  statistician  to  coordinate  statistical  activities,  seeking 
statutory  authority  to  expand  data  sharing  among  statistical  agencies,  and 
working  with  the  CIO  Council  to  improve  IT  management.  The  full  range 
of  these  actions  are  recounted  in  appendix  II. 

Our  past  work  demonstrates,  however,  that  OIRA  faces  continuing  and 
new  challenges  in  each  of  these  areas.  For  example: 

•  Information  Collection/Burden  Reduction.  Over  the  past  3  years,  we 
have  reported  that  federal  paperwork  has  continued  to  increase.  For 
example,  in  April  2001,  we  reported  that  paperwork  had  increased  by 
nearly  180  million  burden  hours  during  fiscal  year  2000 — the  second 
largest  1-year  increase  since  the  act  was  passed.'®  This  increase  was  largely 
attributable  to  the  Internal  Revenue  Service,  which  raised  its  paperwork 
estimate  by  about  240  million  burden  hours.  We  also  reported  that  PRA 
violations — in  which  information-collection  authorizations  from  0MB  had 
expired  or  were  otherwise  inconsistent  with  the  act’s  provisions — had 
declined  from  710  to  487,  but  were  still  a  serious  problem.  We  concluded 
that  while  OIRA  had  taken  some  steps  to  limit  violations,  more  needed  to 
be  done,  including  taking  steps  to  work  with  the  budget  side  of  0MB  to 
bring  agencies  into  compliance.'''  In  commenting  on  this  report,  0MB 
officials  noted  that  in  November  2001,  the  OIRA  administrator  and  0MB 
general  counsel  sent  a  memorandum  to  agencies  stressing  the  importance 
of  having  agencies  eliminate  existing  violations  and  prevent  new  ones. 


Paperwork  Reduction  Act:  Burden  Estimates  Continue  to  Increase  (GAO-01-648T,  April 
24,  2001). 

'''  Paperwork  Reduction  Act:  Burden  Increases  at  IRS  and  Other  Agencies 
(GAO/T-GGD-00-114,  April  12, 2000)  and  Paperumrk  Reduction  Act:  Burden  Increases  and 
Unauthorized  Information  Collections  (GAO/T-GGD-99-78,  April  15,  1999). 
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•  Information  Dissemination.  Two  recent  reports  underscored  the 
evolving  nature  of  information  dissemination  issues  and  the  challenges 
that  the  government  faces  in  moving  toward  increased  electronic 
dissemination  of  information.  One  on  the  National  Technical  Information 
Service  (NTIS) — a  repository  for  scientific  and  technical  information — 
stated  that  rising  demand  for  electronic  products,  coupled  with  increasing 
availability  of  this  information  on  the  Internet,  raised  fundamental  issues 
about  how  the  information  should  be  collected,  stored,  and 
disseminated — and  specifically,  about  the  future  of  NTIS  itself.^® 
Specifically,  we  raised  pohcy  questions  concerning  whether  a  central 
repository  was  still  needed  and  if  so,  how  it  should  be  structured.  In 
addition,  our  report  on  the  Government  Printing  Office — which  prints  and 
disseminates  publications  for  all  three  branches  of  government — 
concluded  that  while  electronic  dissemination  of  government  publications 
provided  an  attractive  alternative  to  paper,  a  number  of  challenges  would 
need  to  be  overcome  if  the  government  were  to  increase  electronic 
dissemination.  These  challenges  included  ensuring  permanence,  equitable 
access,  and  authenticity  of  documents  in  an  electronic  environment.  “ 

•  Statistical  Policy.  In  March  1998,  in  testimony  on  a  reorganization 
proposal  involving  part  of  the  federal  statistical  system,  we  summarized 
our  past  work  in  this  area.”  We  concluded  that  the  inability  of  agencies  to 
share  data  is  one  of  the  most  significant  issues  facing  the  statistical 
system,  and  one  of  the  major  factors  affecting  the  quality  of  data,  the 
efficiency  of  the  system,  and  the  amount  of  burden  placed  on  those  who 
provide  information  to  the  agencies.’® 

•  Records  Management.  Last  July  we  testified  that  the  management  of 
electronic  records  was  a  substantial  challenge  facing  the  government  and 
the  National  Archives  and  Records  Administration  in  implementing  the 
Government  Paperwork  Elimination  Act  and  in  moving  toward  e- 


Information  Management:  Dissemination  of  Technical  Reports  (GAO-01-490,  May  18, 
2001). 

Information  Management:  Electronic  Dissemination  of  Government  Publications 
(GAO-01-428,  March  30,  2001). 

”  Statistical  Agencies:  fh-oposed  Consolidation  and  Data  Sharing  Legislation 
(GAO/T-GGD-98-91,  March  26,  1998). 

See  also  Record  Linkage  and  Privacy:  Issues  in  Creating  New  Federal  Research  and 
Statistical  Information  (GAO-01-126SP.  April  2001),  which  discusses  the  benefits  from  and 
the  privacy  issues  raised  by  record  linkages — combining  multiple  sources  of  existing 
data — conducted  for  research  and  statistical  purposes. 
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government.^  We  underscored  the  need  for  strong,  central  leadership  to 
overcome  this  challenge. 

•  Privacy.  In  September  2000,  we  reported  that  most  Web  sites  we  reviewed 
had  posted  privacy  policies  but  had  not  consistently  posted  policies  on 
pages  we  identified  as  collecting  substantial  amounts  of  personal 
information.  We  concluded  that  OMB’s  guidance  was  unclear  in  several 
respects,  and  contained  undefined  language.^  And  last  April  we  reported 
on  agency  use  of  Internet  “cookies”^^  and  concluded  that  OMB’s  guidance 
left  agencies  to  implement  fragmented  directives  contained  in  multiple 
documents.  Further,  the  guidance  itself  was  not  clear  on  the  disclosure 
requirements  for  a  certain  type  of  cookie.^ 

•  Information  Technology.  In  last  January’s  Performance  and 
Accountability  Series  of  reports,  we  identified  information  technology 
management — including  improving  the  collection,  use,  and  dissemination 
of  government  information;  strengthening  computer  security;  and 
strengthening  IT  management  processes — as  a  major  management 
challenge  facing  the  federal  government.^®  We  pointed  out  that  the 
momentum  generated  by  the  government’s  response  to  the  Year  2000 
change  should  not  be  lost,  and  that  the  lessons  learned  should  be 
considered  in  addressing  other  pressing  challenges.  The  report  further 
reemphasized  the  need  for  sustained  and  focused  central  leadership,  and 
particularly  for  a  federal  chief  information  officer  to  provide  strong  focus 
and  attention  to  the  full  range  of  IRM  and  IT  issues. 

•  Information  Security.  Since  1997,  we  have  designated  information 
security  as  a  high-risk  area  because  growing  evidence  indicated  that 
controls  over  computerized  federal  operations  were  not  effective  and 
related  risks  were  escalating,  in  part  due  to  increasing  reliance  on  the 
Internet.  ^  While  many  actions  have  been  taken,  current  activity  is  not 


'^Electronic  Government:  Challenges  Must  Be  Addressed  With  Effective  Leadership  and 
Management  (GAO-01-959T,  July  11,  2001). 

Internet  Privacy:  Agencies’  Efforts  to  Implement  OMB’s  Privacy  Policy 
(GAO/GGD-00-191,  September  5, 2000). 

Text  files  that  have  unique  identifiers  associated  with  them  and  are  used  to  store  and 
retrieve  information  that  allows  Web  sites  to  recognize  returning  users,  track  on-line 
purchases,  or  maintain  and  serve  customized  Web  pages. 

Internet  Privacy:  Implementation  of  Federal  Guidance  for  Agency  Use  of  “Cookies” 
(GAO-01-424,  April  27,  2001). 

Major  Management  Challenges  and  Program  Risks:  A  Govemmentwide  Perspective 
(GAO-01-241,  January  2001). 

High-Risk  Series:  An  Update  (GAO-01-263,  January  2001). 
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keeping  pace  with  the  growing  threat.  In  recent  testimony,  we  reported 
that  our  most  recent  analyses  of  audit  reports  published  from  July  2000 
through  September  2001,  continued  to  show  significant  weaknesses  at 
each  of  the  24  agencies  included  in  our  review.  Consequently,  critical 
operations,  assets,  and  sensitive  information  gathered  from  the  public  and 
other  sources  continued  to  be  vulnerable  to  disruption,  data  tampering, 
fraud,  and  inappropriate  disclosure.  While  recognizing  that  the 
administration  had  taken  a  number  of  positive  steps  to  protect  critical 
public  and  private  information  systems,  we  concluded  that  the 
government  still  faced  a  challenge  in  ensuring  that  risks  from  cyber  threats 
are  appropriately  addressed  in  the  context  of  the  broader  array  of  risks  to 
the  nation’s  welfare.  Further,  we  recommended  that  the  federal 
government’s  strategy  for  protecting  these  systems  define  (1)  specific 
roles  and  responsibilities,  (2)  objectives,  milestones,  and  an  action  plan, 
and  (3)  performance  measures. 

Over  the  years,  we  have  made  numerous  recommendations  to  both  0MB 
and  the  agencies  on  IRM  matters.  While  actions  have  been  taken  to 
respond  to  our  recommendations,  more  needs  to  be  done.  Some  of  the 
more  significant  recommendations  involving  OIRA  that  have  not  yet  been 
implemented  include  the  following: 

•  In  1996,  in  reporting  on  Clinger-Cohen  Act  implementation,  we 
recommended  that  0MB  identify  the  type  and  amount  of  skills  required  for 
0MB  to  execute  IT  portfolio  analyses;  determine  the  degree  to  which  these 
needs  are  currently  satisfied;  specify  the  gap;  and  design  and  implement  a 
plan  to  close  the  gap.^®  Although  OIRA  officials  said  they  are  examining 
their  staffing  needs,  no  systematic  review  has  been  conducted  to  date. 

•  In  the  same  1996  report,  we  recommended  that  0MB  evaluate  information 
system  project  cost,  benefit,  and  risk  data  when  analyzing  the  results  of 
agency  IT  investments.  Such  analyses  should  produce  agency  track 
records  that  clearly  and  definitively  show  what  improvements  in  mission 
performance  have  been  achieved  for  the  IT  dollars  expended.  Although 
0MB  has  provided  anecdotal  evidence  of  expected  and  actual  mission 
performance  improvements  for  some  major  systems  projects,  it  is  not 


Computer  Security:  Improvements  Needed  to  Reduce  Risk  to  Critical  Federal 
Opera  tions  and  Assets  (GAO-02-231T,  November  9,  2001). 

Information  Technology  Investment:  Agencies  Can  Improve  Performance,  Reduce 
Costs,  and  Minimize  Risks  (GAO/AIMD-96-64,  September  30,  1996). 
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clear  that  0MB  has  constructed  or  plans  to  construct  systematic  agency 
track  records. 

•  In  1998,  in  a  report  on  OIRA’s  implementation  of  PRA,  we  recommended 
that  0MB  ensure  that  its  annual  performance  plan  and  program  reports  to 
the  Congress  under  the  Government  Performance  and  Results  Act  identify 
specific  strategies,  resources,  and  performance  measures  that  it  will  use  to 
address  OIRA’s  PRA  responsibilities.^’^  0MB  has  not  acted  on  this 
recommendation. 

•  In  2000,  in  a  report  on  Internet  privacy,  we  recommended  that  0MB  (1) 
consider  how  best  to  help  agencies  better  ensure  that  individuals  are 
provided  clear  and  adequate  notice  about  how  their  personal  information 
is  treated  when  they  visit  federal  Web  sites,  and  (2)  determine  whether 
current  oversight  strategies  are  adequate.^®  In  addition,  in  reporting  on 
federal  agency  use  of  Internet  cookies,  we  recommended  that  0MB  unify 
its  guidance  on  Web  site  privacy  policies  and  clarify  the  resulting  guidance 
to  provide  comprehensive  direction  on  the  use  of  cookies  by  federal 
agencies  on  their  Web  sites.^®  Although  OIRA  officials  said  that  they  plan  to 
launch  a  privacy  initiative  to  address  these  recommendations,  no  action 
has  been  taken  to  date. 


Conclusions 


Current  and  emerging  challenges — including  the  events  of  September  11 
and  the  subsequent  anthrax  attacks — emphasize  the  importance  of  the 
integrated  approach  that  IRM  embodies  and  the  need  for  a  strategic  plan 
to  guide  the  government’s  management  of  its  increasingly  valuable 
information  resources.  However,  OIRA  has  not  established  an  effective 
governmentwide  strategic  IRM  plan  to  accomplish  this.  Given  the 
magnitude  of  the  changes  that  have  occurred  since  the  CIO  Council  plan 
was  published  in  October  2000,  OIRA  has  both  an  obligation  and  an 
opportunity  to  lead  the  development  of  a  unified  governmentwide  plan 
that 

communicates  a  clear  and  comprehensive  vision  for  how  the  government 
will  use  information  resources  to  improve  agency  performance. 


Regulatory  Management:  Implementation  of  Selected  0MB  Responsibilities  Under  the 
Paperwork  Reduction  Act  (GAO/GGD-98-120,  July  9, 1998). 

GAO/GGD-00-191,  September  6,  2000. 

GAO-OM24,  April  27,  2001. 
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•  is  responsive  to  the  current  external  environment  including  the  impact  of 
recent  terrorist  attacks  and  other  trends, 

•  recognizes  the  resources  including  human  capital  needed  to  achieve 
governmentwide  IRM  goals,  and 

•  reflects  consultation  with  all  stakeholders — including  the  Office  of 
Homeland  Security,  entities  involved  in  information  security  and  critical 
infrastructure  protection,  and  the  officials  identified  in  the  act — who  are 
critical  to  meeting  IRM  challenges  and  the  goals  the  administration  has 
established  in  its  management  agenda. 

The  shortcomings  we  identified  in  the  CIO  Coimcil  plan  call  into  question 
the  degree  of  management  attention  that  OIRA  has  devoted  thus  far  to 
producing  the  govemmentwide  plan.  Without  such  a  plan,  OIRA  and  the 
agencies  lack  a  unifying  governmentwide  vision  for  how  investments  in 
and  use  of  information  resources  will  facilitate  the  current  and  emerging 
agenda  of  the  federal  government.  Further,  the  risk  is  increased  that 
investments  in  IT  will  not  be  leveraged  across  the  government;  that 
duplicative  initiatives  will  be  undertaken;  that  opportunities  for  data 
sharing  and  public  access  will  be  missed;  that  privacy  will  be 
compromised;  and  that  the  security  of  information,  information  systems, 
and  critical  infrastructure  will  be  jeopardized.  Without  OIRA  leadership, 
top-level  management  commitment,  and  the  application  of  appropriate 
resources  to  ensure  the  development  of  a  comprehensive  and  meaningful 
plan,  the  mounting  challenges  that  the  government  faces  in  managing 
information  may  not  be  met. 

While  OIRA  has  not  yet  established  an  effective  governmentwide  IRM 
plan,  it  has  taken  action  to  respond  to  other  PRA  policymaking,  oversight, 
and  functional  requirements.  Nevertheless,  OIRA  faces  challenges  in 
managing  critical  information  resources  and  many  of  the 
recommendations  we  have  made  over  the  years  have  not  yet  been 
implemented. 


Recommendations 


In  order  to  address  the  current  and  emerging  challenges  that  the 
government  faces  in  managing  information  resources  and  take  advantage 
of  opportunities  for  improvement,  we  recommend  that  the  administrator, 
OIRA,  develop  and  implement  a  governmentwide  strategic  IRM  plan  that 
articulates  a  comprehensive  federal  vision  and  plan  for  all  aspects  of 
government  information.  In  addition,  recognizing  the  new  emphasis  that 
0MB  has  placed  on  e-govemment,  it  will  be  important  that  the 
administrator  work  in  conjunction  with  the  associate  director  for 
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technology  and  e-govemment  in  developing  this  plan.  In  particular,  the 
following  actions  should  be  taken: 

•  Consistent  with  the  Paperwork  Reduction  Act,  establish  governmentwide 
goals  for  IRM  that  are  linked  to  improvements  in  agency  and  program 
performance,  identify  strategies  for  achieving  the  goals  that  clearly  define 
the  roles  of  OIRA  and  agencies,  and  develop  performance  measures  to 
assess  progress  in  using  IRM  to  improve  agency  and  program 
performance. 

•  Assess  the  external  environment  and  emerging  future  challenges  and 
trends,  including  the  recent  terrorist  attacks,  and  their  impact  on  the 
government’s  collection,  use,  maintenance,  and  dissemination  of 
information. 

•  As  part  of  an  assessment  of  the  government’s  internal  environment, 
determine  the  resources,  including  human  capital,  needed  to  meet 
governmentwide  IRM  goals.  This  should  include  an  assessment  of  OIRA’s 
human  capital  capability,  including  the  numbers  of  staff  and  types  of  skills 
needed,  to  conduct  this  strategic  planning  process  and  lead 
governmentwide  implementation  of  the  resulting  plan.  Based  on  this 
assessment,  the  administrator,  OIRA,  should  seek  to  fill  any  gaps 
identified. 

•  Seek  involvement  in  the  planning  processes  from  the  CIO  Council,  the 
Office  of  Homeland  Security,  entities  involved  in  information  security  and 
critical  infrastructure  protection,  federal  agencies,  private-sector 
organizations,  state  and  local  governments,  and  other  relevant 
stakeholders  in  meeting  the  government’s  needs  for  a  strong  and  unified 
information  management  vision. 


Agency  Comments 
and  Our  Evaluation 


In  written  comments  on  a  draft  of  this  report,  which  are  reprinted  in 
appendix  III,  the  director,  0MB,  recognized  that  our  report  had  significant 
implications  for  agency  PRA  implementation  but  expressed  several 
concerns  with  its  contents.  First,  he  expressed  concern  that  the  report 
narrowly  focuses  on  the  finding  that  a  governmentwide  strategic  plan  must 
be  a  single  document.  He  reiterated  OMB’s  position  that  the  documents 
they  cited  during  our  review — the  CIO  Council  Strategic  Plan,  the 
information  collection  budget,  the  president’s  management  agenda,  and 
others — and  the  president’s  budget  for  2003,  which  was  released  after  our 
draft  report  was  sent  for  comment — in  total  meet  the  requirements  for  a 
governmentwide  strategic  IRM  plan  and  provide  adequate  strategic 
direction  to  agencies.  Second,  the  director  expressed  concern  that  the 
report  does  not  incorporate  the  role  of  the  associate  director  for 
information  technology  and  e-government  into  its  findings  or  analysis. 
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The  director  stated  that,  in  leading  implementation  of  the  e-government 
strategy  outlined  in  the  president’s  management  agenda,  the  associate 
director  provides  strategic  direction  to  agencies  for  many  of  the  functions 
in  PRA,  including  information  security,  privacy,  e-government,  IT 
spending,  enterprise  architecture,  and  capital  planning,  and  leads  the  work 
of  OIRA  and  other  0MB  offices  to  improve  agency  performance  on  these 
issues.  Lastly,  the  director  stated  that  the  report  does  not  analyze  the 
impact  of  OMB’s  policies  and  practices — established  in  response  to  the 
requirements  of  PRA  and  other  IRM  statutes — on  agency  performance.  He 
further  stated  that  such  an  analysis  would  demonstrate  that  the  president’s 
e-government  initiative  and  other  actions  are  highly  effective  in  carrying 
out  the  purposes  of  PRA. 

We  disagree  with  the  director’s  statement  that  our  report  narrowly  focuses 
on  the  requirement  for  a  strategic  plan  to  be  a  single  document.  We 
performed  a  rigorous  analysis  of  the  documents  cited  by  0MB  during  our 
review  and  compared  their  contents  against  the  requirements  of  the  PRA. 
Our  primary  finding  was  that  these  documents  do  not,  separately  or 
collectively,  meet  the  requirements  for  a  governmentwide  plan.  As 
discussed  in  our  report,  we  acknowledge  the  strategic  elements  of  the  CIO 
Council  plan  and  the  president’s  management  agenda  but  found  that  these 
documents  do  not  comprehensively  cover  IRM  issues  and  are  missing 
other  key  elements  of  a  strategic  IRM  plan.  The  remaining  documents 
cited  by  0MB  are  not  strategic  or  focused  on  the  future,  and  do  not 
provide  goals,  strategies,  and  performance  measures.  Further,  we  think 
there  is  value  in  crafting  a  single  plan — not  only  because  it  is  required  by 
PRA  but  also  because  it  would  provide  a  vehicle  for  clearly 
commimicating  an  integrated  strategic  IRM  vision  to  agencies,  the 
Congress,  and  the  public.  However,  contrary  to  what  OMB’s  letter  implies, 
we  do  not  believe  that  0MB  must  necessarily  produce  an  entirely  new 
document  to  accomplish  this.  0MB  has  options  for  building  on  past 
efforts — including  the  CIO  council  strategic  plan,  the  president’s 
management  agenda,  and  the  president’s  budget  for  2003 — to  develop  a 
plan  that  contains  a  comprehensive  strategic  statement  of  goals  and 
resources. 

Regarding  the  budget  for  2003 — released  after  our  draft  report  was  sent 
for  comment — ^this  document  identifies  e-government  and  IT  management 
reform  as  administration  priorities.  Specifically,  it  contains  (1)  a 
description  of  IT  management  issues  including  duplicative  IT  investments 
and  the  failure  of  IT  investments  to  significantly  improve  agency 
performance,  (2)  additional  information  on  the  administration’s  e- 
government  goals  and  strategies  and  high-level  descriptions  of  specific  e- 
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government  initiatives,  (3)  descriptions  of  agency  progress  in  developing 
capital  planning  and  investment  control  processes,  enterprise 
architectures,  and  business  cases  for  IT  projects,  and  in  implementing  e- 
government,  and  (4)  identifies  process  improvement  milestones  for 
calendar  year  2002. 

The  budget  also  contains  a  scorecard  used  to  grade  agency  progress  in  the 
five  governmentwide  initiatives — including  e-government — described  in 
the  president’s  management  agenda.  In  addition,  for  major  IT  investments, 
the  budget  identifies  total  investments  for  2001  through  2003,  links  each 
investment  to  the  agency’s  strategic  goals,  and  provides  performance  goals 
and  measures  for  these  projects.  The  budget  also  contains  a  discussion  on 
strengthening  federal  statistics  and  identifies  four  programs  supported  by 
the  budget  that  are  intended  to  address  shortcomings  in  the  statistical 
infrastructure. 

Our  preliminary  analysis  indicates  that  this  budget  contains  many  of  the 
elements  required  in  a  strategic  plan  that  were  not  present  in  previous 
documents  cited  by  0MB  and,  when  viewed  in  conjrmction  with  the 
president’s  management  agenda,  represents  credible  progress  toward 
developing  a  govemmentwide  plan.  Specifically,  it  includes  a  discussion — 
within  the  context  of  e-government — of  how  the  government  will  use 
information  resources  to  improve  agency  performance,  and  identifies 
goals  and  strategies.  It  also  discusses  other  required  elements,  including 
(1)  enhancing  public  access  to  and  dissemination  of  information  and  (2) 
meeting  the  IT  needs  of  the  government,  and  cites  the  need  to  reduce 
reporting  burden  on  businesses  and  share  data  among  federal  agencies. 
Further,  it  provides  the  status  of  agency-by-agency  progress  in  establishing 
IT  management  processes  and  implementing  e-government  and  the 
scorecard  provides  a  means  of  measuring  agency  progress.  The  discussion 
also  links  improving  information  sharing  among  levels  of  government  to 
providing  for  homeland  security. 

However,  some  of  the  areas  that  the  budget  does  not  appear  to  address 
include  (1)  the  role  of  OIRA  and  the  CIO  Council  in  implementing  the 
government’s  strategies,  (2)  an  assessment  of  the  long-term  resources 
(beyond  fiscal  year  2003) — including  human  capital — ^needed  to  meet  the 
goals,  and  (3)  how  key  stakeholders  were  involved  in  developing  these 
plans.  Nevertheless,  based  on  a  preliminary  review  of  this  document,  it 
appears  to  address,  in  part,  the  recommendations  in  this  report.  We  intend 
to  follow  up  on  this  and  other  documents  that  0MB  has  indicated  are 
forthcoming  to  determine  the  extent  to  which  our  recommendations  are 
fully  addressed. 
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We  acknowledge  the  role  that  0MB  has  given  to  the  associate  director  to 
provide  strategic  direction  to  agencies  and  we  support  additional  efforts  to 
focus  attention  on  IRM  matters,  especially  given  the  magnitude  of  the 
government’s  challenges.  However,  we  believe  that  a  governmentwide 
strategic  IRM  plan  is  nonetheless  needed  to  communicate  an  integrated 
IRM  vision  to  the  Congress  and  other  key  stakeholders,  as  well  as  federal 
agencies.  As  a  result,  we  have  modified  our  recommendations  to  recognize 
the  importance  of  the  administrator’s  working  in  conjunction  with  the 
associate  director  to  articulate  a  comprehensive  IRM  vision  and  develop  a 
governmentwide  plan  that  meets  PRA  requirements. 

Finally,  we  acknowledge  that  we  did  not  assess  the  impact  of  OlRA’s 
policymaking  and  oversight  efforts — performed  in  response  to  the 
requirements  of  the  PRA  and  other  IRM  legislation — on  agency 
performance.  However,  our  past  work,  referenced  in  this  report,  provides 
ample  evidence  of  agency  performance  problems  in  such  areas  as  IT 
management,  security,  privacy,  and  data  sharing  and  confirms  that  0MB 
faces  significant  and  continuing  challenges  in  these  area.  Further,  as 
discussed  in  our  report,  our  past  work  led  to  our  identifying  information 
security  as  a  govemmentwide  high-risk  area  and  IT  management  as  a 
major  management  challenge.  In  fact,  0MB  identifies  some  of  these  same 
performance  problems  in  its  budget  for  2003  and  in  its  related  assessments 
of  agency  progress  in  expanding  e-government.  In  addition,  we  note  that 
the  president’s  e-govemment  initiative  is  clearly  in  its  early  stages;  any 
efforts  to  evaluate  its  impact  on  agency  performance  at  this  time  would  be 
premature. 

The  deputy  administrator,  OIRA,  and  other  officials  also  separately 
provided  oral  technical  comments,  which  we  have  incorporated  as 
appropriate. 


As  agreed  with  your  office,  unless  you  publicly  announce  the  contents  of 
this  report  earlier,  we  plan  no  further  distribution  until  30  days  from  the 
date  of  this  letter.  At  that  time,  we  will  provide  copies  to  the  ranking 
minority  member.  Senate  Committee  on  Governmental  Affairs;  the 
chairman  and  ranking  minority  member.  House  Committee  on 
Government  Reform;  and  the  director.  Office  of  Management  and  Budget. 
Copies  will  also  be  available  on  our  Web  site  at  www.gao.gov. 
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If  you  have  any  questions,  please  contact  me  at  (202)  512-6240  or  Patricia 
D.  Fletcher,  assistant  director,  at  (202)  512-4071.  We  can  also  be  reached 
by  e-mail  at  koontzl@gao.gov  andJletcherp@gao.gov,  respectively.  Key 
contributors  to  this  report  were  Michael  P.  Fruitman,  Ona  M.  Noble, 
Robert  P.  Parker,  Colleen  M.  Phillips,  and  David  F.  Plocher. 

Sincerely  yours, 

Linda  D.  Koontz 

Director,  Information  Management  Issues 
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Appendix  I:  Scope  and  Methodology 


To  evaluate  the  adequacy  of  OIRA’s  strategic  planning  efforts,  we 
performed  a  content  analysis  of  the  Federal  Chief  Information  Officers 
(CIO)  Coxmcil  Strategic  Plan  for  fiscal  years  2001-2002 — which  OIRA 
officials  identified  as  the  governmentwide  IRM  plan — and  compared  it 
with  specific  PRA  requirements  (S  3505  A).  We  also  interviewed  OIRA  and 
CIO  Council  officials  to  obtain  information  on  the  plan’s  preparation.  We 
reviewed  our  prior  reports  for  information  on  evaluations  and 
recommendations  made  for  previous  OIRA  governmentwide  strategic  IRM 
plans.  Further,  to  understand  the  challenges  the  government  faces  in 
managing  information  in  today’s  environment,  we  reviewed  our  more 
recent  reports  on  terrorism,  bioterrorism,  and  homeland  security  issues.  In 
addition,  we  reviewed  The  President’s  Management  Agenda  for  Fiscal 
Year  2002. 

We  also  reviewed  additional  documents  that,  according  to  OIRA,  also 
comprise  the  govemmentwide  IRM  plan.  These  included  the  1997-2007 
Strategic  Plan  of  the  National  Archives  and  Records  Administration, 

OMB’s  Information  Collection  Budget,  the  exhibit  53s  and  table  22-1  in  the 
president’s  budget  for  fiscal  year  2002,  and  OMB’s  Statistical  Programs  of 
the  United  States  Government.  We  also  reviewed  0MB  memoranda  to 
agencies  entitled  Procedures  and  Guidance  on  Implementing  the 
Government  Paperwork  Elimination  Act  (April  25,  2000),  Guidance  for 
Preparing  and  Submitting  Security  Plans  of  Action  and  Milestones 
(October  17,  2001),  and  Implementation  of  the  President’s  Management 
Agenda  and  Presentation  of  the  Fiscal  Year  2003  Budget  Request 
(October  30,  2001).  Finally,  we  reviewed  the  president’s  budget  for  fiscal 
year  2003  after  it  was  released  on  February  4,  2002. 

To  determine  OIRA  actions  to  respond  to  specific  IRM  functional 
requirements,  we  reviewed  0MB  circulars,  bulletins,  memoranda,  and 
other  documents.  In  addition,  we  interviewed  OIRA  officials  responsible 
for  each  of  the  functional  areas.  We  reviewed  our  prior  work  on  this 
subject,  and  assessed  OIRA’s  status  regarding  outstanding 
recommendations.  We  focused  primarily  on  actions  taken  by  OIRA  since 
1995,  the  date  of  the  most  recent  PRA  amendments.  However,  we  did  not 
assess  the  adequacy  of  OIRA’s  actions  to  respond  to  these  requirements. 
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Appendix  II:  Key  Requirements  of  the 
Paperwork  Reduction  Act  and  OIRA  Actions 


OIRA  requirements 

Actions  taken 

Section  3504(b):  General  IRM  Policy 

Develop  and  oversee  the  implementation  of 
uniform  information  resources  management 
policies,  principles,  standards,  and  guidelines. 

•  0MB  revised  its  IRM  policy  guidance.  Circular  No.  A-130,  to  reflect  the  1995  Act 
and  to  reflect  the  Clinger-Cohen  Act  of  1996  and  other  matters.  Circular  A-130 
complements  5  CFR  1320,  “Controlling  Paperwork  Burden  on  the  Public.” 

•  OIRA’s  general  approach  to  oversight  is  to  leverage  its  existing  statutory 
processes,  including  the  budget,  regulatory  review,  information  collection  review, 
legislative  review,  Privacy  Act  systems  of  record  review,  and  periodic  reports 
from  the  agencies. 

Foster  greater  sharing,  dissemination,  and 
access  to  public  information,  including  through 

•  the  use  of  the  Government  Information 
Locator  Service  (GILS);  and 

•  the  development  of  utilization  of  common 
standards  for  information  collection,  storage, 
and  processing  and  communications, 
including  standards  for  security 
interconnectivity. 

•  OIRA  officials  acknowledged  that  GILS  is  still  a  requirement;  however,  they 
stated  that  increased  use  of  the  Internet,  coupled  with  the  development  of  more 
powerful  search  engines,  has  lessened  the  importance  of  this  approach  to 
locating  government  information. 

•  They  highlighted  the  establishment  of  FirstGov.gov — a  federal  government  portal 
that  provides  a  single  point  of  access  to  all  federal  government  information 
posted  on  the  World  Wide  Web — as  a  major  accomplishment  in  this  area.  In 
addition,  OIRA  has  worked  with  the  CIO  Council  to  establish  Access  America 
portals  in  the  areas  of  health,  trade,  students,  and  seniors. 

•  OIRA  does  not  set  technical  standards;  0MB  works  with  NIST  and  consults  with 
the  CIO  Council  to  define  policv  standards  for  operational  matters. 

Initiate  and  review  proposals  for  changes  in 
legislation,  regulations,  and  agency  procedures 
to  improve  information  resources  management 
practices. 

•  OIRA  officials  say  they  do  not  initiate  legislative  proposals,  but  review  them  via 
consultation  with  the  CIO  Council,  individual  agencies,  and  OMB’s  Legislative 
Reference  Division.  Altogether,  OIRA  receives  about  5  or  6  proposals  each  day. 

•  OIRA  does  not  have  a  systematic  process  for  initiating  or  reviewing  agency 
procedures  to  improve  IRM. 

Oversee  the  development  and  implementation 
of  best  practices  in  IRM,  including  training. 

•  OIRA  officials  stated  that  they  encourage  agencies  to  follow  best  practices — 
relying  on  the  CIO  Council’s  leadership  and  influence. 

•  NIST  disseminates  security  best  practices. 

Oversee  agency  integration  of  program 
management  functions  with  IRM  functions. 

OIRA  officials  stressed  that  agencies  are  responsible  for  overseeing  their  own 
management  functions  through  the  agency’s  CIO. 

Section  3504(c):  Collection  and  Control  of  Paperwork 

Review  and  approve  proposed  agency 
collections  of  information. 

OIRA  operates  the  paperwork  clearance  process  established  under  the  Paperwork 
Reduction  Act  of  1980.  OIRA  has  draft  guidance  for  agency  compliance  with  the 

PRA’s  paperwork  clearance  requirements  (preliminary  January  1997  draft,  revised 
August  1999).  In  fiscal  year  2001,  OIRA  reviewed  1,521  proposed  agency 
collections,  approved  1 , 41 1 ,  and  disapproved  5.  The  remainder  were  withdrawn  or 
returned  to  the  agency. _ 


Coordinate  the  review  of  information  collection 
concerning  procurement  and  acquisition  with 
the  Office  of  Federal  Procurement  Policy 
(OFPP). 

According  to  OIRA,  the  desk  officers  responsible  for  information  collection  review 
routinely  coordinate  collections  concerning  procurement  and  acquisition  with  OFPP, 
but  such  coordination  is  not  documented. 

Minimize  information  collection  burden  and 
maximize  the  practical  utility  of  and  public 
benefit  from  information  collected. 

According  to  OIRA,  the  information  collection  review  process  is  used  to  minimize 
information  collection  burden  and  maximize  practical  utility  and  public  benefit. 

Establish  and  oversee  standards  and 
guidelines  for  estimated  paperwork  burden. 

OIRA  published  standards  for  estimating  paperwork  burden  in  1999,  and  oversees 
implementation  through  the  paperwork  clearance  process. 

Section  3504(d):  Information  Dissemination 

Develop  and  oversee  the  implementation  of 
policies,  principles,  standards,  and  guidelines 
to 

•  apply  to  agency  dissemination,  regardless  of 
form  or  format;  and 

•  In  1995  0MB  issued  guidance  (M-95-22,  9/29/95)  on  implementing  the 
information  dissemination  provisions  of  PRA.  This  guidance  was  incorporated 
into  its  February  1996  revisions  to  A-130. 

•  According  to  OIRA  officials,  0MB  has  been  in  consultation  with  stakeholders  and 
other  interested  parties  to  discuss  the  current  information  policies  of  A-130  and  to 
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Appendix  II:  Key  Requirements  of  the 

Paperwork  Reduction  Act  and  OIRA  Actions 

OIRA  requirements 

Actions  taken 

•  promote  public  access  to  information. 

discern  if  they  continues  to  address  the  needs  of  agencies  and  stakeholders  in 
using  government  information. 

•  OIRA  officials  also  said  that  oversight  of  this  policy  is  accomplished  through  the 
information  collection  process,  conversations  with  agency  CIOs,  review  of 
agency  Web  sites,  and  discussions  with  agency  personnel. 

Section  3504(e):  Statistical  Policy  and  Coordination 

Appoint  a  chief  statistician  to  coordinate  the 
activities  of  the  federal  statistical  system. 

0MB  has  appointed  a  chief  statistician  who  heads  OIRA’s  Statistical  Policy  Branch 
and  is  responsible  for  these  functions. 

Establish  an  interagency  council  on  statistical 
policy  to  advise  and  assist  OIRA  in  carrying  out 
these  functions. 

The  PRA  of  1995  formalized  the  Interagency  Council  on  Statistical  Policy  (ICSP),  to 
advise  and  assist  the  director  of  0MB  in  carrying  out  statistical  policy  and 
coordination  functions.  The  ICSP  is  headed  by  the  chief  statistician  and  consists  of 
the  heads  of  major  statistical  programs  as  well  as  representatives  of  other  statistical 
agencies  on  a  rotating  basis. 

Prepare  an  annual  report  on  statistical  program 
funding. 

The  chief  statistician  prepares  an  annual  report,  entitled  Statistical  Programs  of  the 
United  States  Government,  on  the  activities  of  the  statistical  system,  including 
program  funding. 

Coordinate  the  federal  statistical  system  to 
ensure  its  efficiency  and  effectiveness,  along 
with  the  integrity,  objectivity,  impartiality,  utility, 
confidentiality  of  information  collected  for 
statistical  purposes. 

•  According  to  0MB  officials,  OIRA  uses  a  variety  of  mechanisms  to  coordinate  the 
federal  statistical  system.  These  include  the  budget  formulation  and  information 
collection  review  processes;  the  development  and  implementation  of  long-range 
plans;  the  issuance  and  revision  of  statistical  policy  standards  and  orders; 
consultation  with  the  Interagency  Council  on  Statistical  Policy;  and  the  activities 
and  recommendations  of  interagency  committees  such  as  the  Federal 

Committee  on  Statistical  Methodology,  the  Interagency  Committee  for  the 
American  Community  Survey,  the  Interagency  Forum  on  Aging-Related 

Statistics,  the  Interagency  Forum  on  Child  and  Family  Statistics,  and  the  Task 
Force  on  One-Stop  Shopping  for  Federal  Statistics. 

•  In  1997  0MB  issued  an  order  on  confidentiality  covering  information  collection  by 
statistical  agencies.  The  chief  statistician  stated  that  OIRA  has  not  formally 
evaluated  the  impact  of  this  order.  However,  she  stated  that  it  has  been  very 
useful  to  some  of  the  statistical  agencies,  particularly  in  clarifying  that  confidential 
statistical  data  are  not  to  be  used  for  administrative  or  regulatory  purposes. 

Ensure  that  agency  budget  proposals  are 
consistent  with  systemwide  priorities. 

The  Statistical  Policy  Branch  coordinates  the  budget  requests  of  key  multiagency 
programs  to  ensure  consistency  with  systemwide  priorities.  In  addition,  the  budgets 
of  all  principal  statistical  agencies  are  reviewed  by  OMB’s  Resource  Management 
Organizations  and  the  Statistical  Policy  Branch.  According  to  the  chief  statistician, 
the  statistical  program  budgets  of  other  agencies,  which  account  for  about  60 
percent  of  the  approximately  $4  billion  of  annual  federal  spending  on  statistics,  are 
not  covered  by  this  review,  primarily  because  of  inadequate  detail  on  budget 
materials. 

Develop  and  oversee  the  implementation  of 
governmentwide  policies,  principles,  standards, 
and  guidelines  for  collection  methods,  data 
classifications,  dissemination,  timely  release, 
and  needs  for  administration  of  federal 
programs. 

•  Statistical  Policy  Branch  staff  participate  directly  in  the  review  of  proposed 
information  collection  requests  by  federal  agencies.  According  to  the  chief 
statistician,  this  participation  provides  the  staff  with  oversight  of  the 
questionnaires  and  statistical  methodologies  used  to  collect  information,  as  well 
as  the  use  of  these  collections  for  federal  program  needs. 

•  OIRA  has  also  expanded  or  updated  classification  standards  for  industries  (1997, 
2001),  occupations  (1998),  metropolitan  and  micropolitan  areas  (2000),  and  race 
and  ethnicity  (1997),  and  is  developing  a  new  product  classification  system. 

•  An  0MB  policy  directive,  last  updated  in  1985,  specifies  the  process  for  the 
timely  release  of  principal  economic  indicators,  and  requires  agencies  to  conduct 
periodic  evaluations  of  the  quality  of  those  indicators.  According  to  the  chief 
statistician,  OIRA  does  not  conduct  a  formal  review  of  these  evaluations,  relying 
on  agencies  to  use  them  to  improve  the  timeliness  and  quality  of  their  statistical 
programs,  but  does  use  them  in  the  information  collection  request  and  budget 
formulation  processes. 
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Appendix  II:  Key  Requirements  of  the 
Paperwork  Rednction  Act  and  OIRA  Actions 


OIRA  requirements 

Actions  taken 

Evaluate  statistical  program  performance  and 
agency  compliance  with  governmentwide 
policies,  principles,  standards,  and  guidelines. 

In  addition  to  relying  on  individual  agencies  to  perform  evaluations  of  statistical 
programs  for  compliance  with  governmentwide  polices  and  guidelines,  OIRA  uses 
the  information  collection  and  budget  review  processes  to  evaluate  statistical 
program  performance  and  compliance. 

•  0MB  prepared  legislation  that  the  House  of  Representatives  passed  as  the 
Statistical  Efficiency  Act  of  1999.  Subsequent  President’s  budgets  have 
continued  to  urge  enactment  of  this  legislation  which  would  permit  data  sharing 
solely  for  statistical  purposes  for  a  specified  group  of  statistical  agencies. 

•  To  promote  data  sharing  consistent  with  privacy  rights  and  confidentiality 
pledges,  0MB  in  1997  issued  a  confidentiality  order  for  information  collected  by 
statistical  agencies.  OIRA  officials  have  not  formally  evaluated  the  impact  of  this 
order,  but  have  noted  that  some  statistical  agencies  have  found  it  very  useful, 
particularly  in  clarifying  that  statistical  data  collected  under  a  confidentiality 
pledge  are  not  to  be  used  for  nonstatistical  purposes,  such  as  administrative  or 
regulatory  purposes. 

•  According  to  the  chief  statistician,  OIRA  has,  on  occasion,  used  the  provisions  of 

44  U.S.C.  3509  to  designate  a  single  agency  to  collect  and  share  data  needed  by 
multiple  agencies  (consistent  with  privacy  rights  and  confidentiality  pledges), 
thereby  reducing  respondent  burden. _ 

Coordinate  the  participation  of  the  United  The  Statistical  Policy  Branch  serves  as  the  focal  point  for  coordinating  U.S. 

States  in  international  statistical  activities.  participation  in  international  statistical  activities.  OIRA  coordinates  agency 

participation  in  statistical  activities  with  the  United  Nations  Statistical  Division,  the 
Organization  for  Economic  Cooperation  and  Development,  and  the  Statistical  Office 
of  the  European  Communities.  The  chief  statistician  represents  the  United  States  at 
meetings  of  the  United  Nations  Statistical  Commission.  The  chief  statistician  stated 
that  through  this  participation,  she  ensures  that  U.S.  interests  are  taken  into  account 
in  these  policy-setting  forums,  where  programs  for  international  statistical  work  are 
developed  and  adopted.  She  noted  that  in  preparation  for  these  meetings,  agency 
views  are  sought  on  the  agenda  items  by  contacting  the  member  agencies  of  the 
ICSP.  She  also  stated  that  working  through  the  Council,  0MB  ensures  that  the 
appropriate  technical  experts  represent  the  United  States  in  various  subject  matter 
_ meetings  and  in  international  standards  development  work. _ 


Promote  opportunities  for  training  in  statistical 
policy  functions. 

According  to  the  chief  statistician,  the  Statistical  Policy  Branch  encourages 
agencies  to  send  staff  to  OIRA  to  be  trained.  For  each  of  the  past  6  years,  agency 
staff  have  worked  at  OIRA,  participating  in  such  activities  as  the  preparation  of  the 
annual  report  on  statistical  programs  and  the  review  of  information  collection 
reguests. 

Section  3504(f):  Records  Management 

Provide  advice  and  assistance  to  the  Archivist 
of  the  United  States  and  the  Administrator  of 
General  Services  to  promote  coordination  of 
records  management  requirements  with  IRM 
policies,  principles,  standards,  and  guidelines. 

•  0MB  officials  stated  that  OIRA  relies  heavily  on  NARA  to  take  leadership  for 
records  management  policy. 

•  OIRA  officials  stated  that  they  and  0MB  budget  examiners  work  closely  with  both 
NARA  and  GSA.  They  have  provided  advice  countless  times,  but  these 
interactions  are  informal  and  therefore  undocumented. 

Review  agency  compliance  with  records 
management  legal  and  regulatory 
requirements. 

OIRA  relies  on  NARA  to  ensure  compliance  with  records  management 
requirements  processes.  From  fiscal  years  1996  through  2000,  NARA  conducted 

1 6  evaluations  of  agency  records  programs — including  Agriculture,  Defense, 
Commerce,  FBI,  and  CIA — and  reported  numerous  weaknesses,  making 
recommendations  for  improvement.  No  additional  evaluations  have  been 
conducted  since  then. 

Oversee  the  application  of  records 
management  policies,  principles,  standards, 
and  guidelines,  including  the  requirements  for 
archiving  information  maintained  in  electronic 

•  0MB  Circular  A-130  requires  agencies  to  ensure  that  records  management 
programs  adequately  document  agency  activities  and  incorporate  records 
management  functions  into  the  design,  development,  and  implementation  of 
information  systems. 

Promote  sharing  of  information  collected  for 
statistical  purposes  consistent  with  privacy 
rights  and  confidentiality  pledges. 
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Paperwork  Reduction  Act  and  OIRA  Actions 

OIRA  requirements 

Actions  taken 

format,  in  the  planning  and  design  of 
information  systems. 

•  CIRA  officials  stated  that  they  oversee  agency  application  of  records 
management  policies  through  the  information  collection  budget  and  review 
processes. 

•  According  to  CMB  officials,  an  e-government  initiative  on  e-records  management 
will  provide  a  framework  for  this. 

Section  3504(g):  Privacy  and  Security 

Develop  and  oversee  the  implementation  of 
policies,  principles,  standards,  and  guidelines 
on  privacy,  confidentiality,  security,  disclosure 
and  sharing  of  information,  and  security. 

CMB  Circular  A-130  provides  implementing  guidance  to  agencies  on  security  and 
privacy.  In  addition,  it  contains  specific  guidance  on  federal  agency  responsibilities 
for  maintaining  records  about  individuals  (app.  1)  and  on  security  of  federal 
automated  information  resources  (app.  III).  Further,  CIRA  has  issued  several 
memoranda  addressing  such  issues  as  interagency  data  sharing,  Internet  privacy 
issues,  and  the  need  to  incorporate  security  and  privacy  in  information  systems 
design  and  investment. 

Oversee  and  coordinate  compliance  with  the 
Freedom  of  Information  Act,  the  Privacy  Act, 
and  the  Computer  Security  Act  of  1987,  and 
related  information  management  laws. 

According  to  CIRA,  it  oversees  and  coordinates  compliance  with  the  Computer 
Security  Act  through  the  provisions  of  the  Government  Information  Security  Reform 
Act  that  require  agencies  to  engage  in  systematic  self-reporting  on  their  computer 
security  programs.  CIRA  oversees  the  Privacy  Act  though  its  reporting  requirements 
and  review  of  agency  notices  for  new  or  modified  Privacy  Act  systems  of  records. 
Freedom  of  Information  Act  oversight  is  given  to  the  Department  of  Justice, 
although  CMB  provides  guidance  on  fees.  CIRA  also  receives  and  reviews  all 
agency  inspector  general  reports  and  annual  reports,  monitors  GSA’s  incident 
report  tracking  system,  and  reviews  the  integration  of  IT  security  in  the  budget 
process  and  the  capital  planning  and  investment  control  process. 

Require  agencies  to  identify  and  afford  security 
protections  commensurate  with  the  risk  and 
management  of  the  harm  resulting  from  the 
loss,  misuse,  or  unauthorized  access  to  or 
modification  of  information. 

A-130  requires  a  risk-based  approach  to  information  security  and  stipulates  that 
new  or  continued  funding  for  IT  systems  is  contingent  on  meeting  security  criteria. 
CIRA  officials  again  emphasized  that  it  is  the  individual  agency’s  responsibility  to 
provide  appropriate  risk-based  security  protections. 

Section  3504(h):  Federai  information  Technoiogy 

In  consultation  with  the  Director  of  NIST  and 
the  Administrator  of  General  Services,  develop 
and  oversee  the  implementation  of  policies, 
principles,  standards,  and  guidelines  for 
information  technology  functions  and  system 
standards. 

According  to  CIRA  officials,  CIRA  staff  routinely  consult  with  NIST  and  the  General 
Services  Administration  in  developing  policy  and  guidance. 

Monitor  the  effectiveness  of,  and  compliance 
with,  directives  issued  under  the  Clinger-Cohen 
Act  and  relative  to  the  IT  fund. 

CIRA  holds  annual  capital  planning  and  investment  control  meetings  with  individual 
agencies  to  judge  the  well  being  of  IT  portfolios.  CIRA  officials  stated  that  they 
maintain  a  database  to  track  agency  portfolios  overtime,  but  consider  this 
information  to  be  “pre-decisional”;  it  was  thus  not  made  available  to  us.  However, 
additional  detail  on  agency  IT  portfolios  was  provided  in  the  2003  budget. 

Coordinate  the  development  and  review  of  IRM 
policy  associated  with  procurement  and 
acquisition  with  the  Cffice  of  Federal 
Procurement  Policy. 

CIRA  officials  collaborate  with  the  Cffice  of  Federal  Procurement  Policy  on  issues 
related  to  IT  procurement  and  acquisition. 

Ensure  (1)  agency  integration  of  IRM  plans, 
program  plans,  and  budgets  for  acquisition  and 
use  of  IT ;  and  (2)  the  efficiency  and 
effectiveness  of  interagency  IT  initiatives. 

CIRA  officials  use  the  budget  and  capital  planning  processes,  in  addition  to  the 
guidance  in  A-130,  to  ensure  agency  integration  of  IRM  plans  and  budgets. 
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OIRA  requirements 

Actions  taken 

Promote  the  use  of  IT  to  improve  the 
productivity,  efficiency,  and  effectiveness  of 
federal  programs. 

•  OIRA  \works  closely  with  the  CIO  Council  to  ensure  the  efficiency  and 
effectiveness  of  interagency  IT  initiatives. 

•  OIRA  promotes  the  use  of  information  technology  by  participating  in  interagency 
meetings,  through  the  information  collection  review  process,  and  desk  officer 
liaison  activities  with  agencies. 

•  According  to  OIRA  officials,  OIRA  uses  requirements  for  capital  planning  and 
investment  control  processes,  enterprise  architectures,  and  business  cases 
during  the  budget  process  to  improve  how  agencies  plan,  acquire,  and  manage 

IT. 
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EXECUTIVE  OFFICE  OF  THE  PRESIDENT 
OFFICE  OF  MANAGEMENT  AND  BUDGET 
WASHINGTON.  D.  C.  20503 

February  11,  2002 


Mr.  Joel  C.  Willemssen 

Managing  Director,  Information  Technology  Issues 
U.S.  General  Accounting  Office 
Washington,  DC  20548 

Dear  Mr.  Willemssen: 

Thank  you  for  the  opportunity  to  respond  to  the  General  Accounting  Office’s  (GAO) 
draft  report,  "Information  Resources  Management:  Comprehensive  Strategic  Plan  Needed  to 
Address  Mounting  Challenges  (GAO-02-292)."  The  Office  of  Management  and  Budget  finds  the 
draft  report  to  have  significant  implications  for  the  Office  of  Management  and  Budget’s  (0MB) 
role  in  overseeing  agency  implementation  of  the  Paperwork  Reduction  Act,  and  for  the  Office  of 
Information  and  Regulatory  Affairs  (OIRA). 

The  draft  report  focuses  much  of  its  attention  to  the  finding  that  OIRA  has  not  provided 
tlie  agencies  with  a  govemmentwide  strategic  plan  for  information  resources  management  (IRM), 
as  required  by  the  Paperwork  Reduction  Act  (PRA).  The  report  further  finds  the  statement  by 
OIRA  officials  that  taken  together,  several  documents  address  the  requirements  of  the  PRA,  to  be 
insufficient.  0MB  recognizes  that  the  draft  report  evaluates  0MB ’s  compliance  based  on  the 
goals  of  the  PRA  -  that  Federal  agencies  should  have  a  comprehensive  set  of  goals  and  measures 
by  which  to  base  agency  performance  in  the  areas  of  information  collection,  information 
dissemination,  information  technology  oversight,  security,  privacy,  records  management,  and 
statistical  policy. 

OMB  is  concerned  that  this  report  narrowly  focuses  on  the  finding  that  a  govemment¬ 
wide  strategic  Information  Resources  Management  (IRM)  plan  must  be  a  single  document. 

The  report’s  discussion  of  a  single  comprehensive  plan  does  not  reflect  the  fact  that  OMB’s 
authorities  in  several  areas,  including  information  technology  reform,  e-government,  and 
security,  are  derived  from  statutes  in  addition  to  the  PRA.  OMB  directed  GAO  to  the  documents 
listed  in  this  draft  report  as  a  means  of  demonstrating  how  OMB  oversees  and  addresses  policy  in 
each  of  the  IRM  areas,  and  GAO  has  reflected  this  listing  in  its  report.  While  these  documents 
and  reports  are  not  fully  integrated  in  a  single  document,  taken  together  they  set  general 
standards  and  strategic  direction  across  the  government  in  all  of  the  areas  required  by  the  PRA. 
As  the  report  acknowledges,  much  of  this  strategic  direction  can  be  found  in  the  discussion  of 
IRM  oversight  contained  in  the  President’s  FY  2003  Budget  and  in  Chapter  22  of  the  Analytical 
Perspectives  document.  We  will  assess  the  value  of  better  linking  these  documents  together  on 
OMB’s  web  site;  however,  we  question  whether  devoting  OMB’s  scarce  resources  to  integrating 
these  documents  under  a  single  cover  will  indeed  lead  to  improved  agency  performance  in  IRM. 
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Moreover,  while  the  draft  report  acknowledges  the  role  of  OMB’s  Associate  Director  for 
IT  and  e-Govemment,  it  does  not  incorporate  the  importance  of  this  office  into  its  findings  or 
analysis.  Mark  Forman,  in  his  role  as  Associate  Director,  assists  by  providing  strategic  direction 
to  agencies  in  many  of  the  PRA  related  areas  including  information  security,  privacy,  IT 
oversight,  records  management,  and  information  dissemination,  and  leads  the  work  of  OIRA  and 
other  0MB  offices  to  improve  agency  performance  on  these  critical  issues.  While  the  draft 
report  outlines  several  potential  risks  to  government  IRM  that  GAO  notes  as  consequences  of  not 
having  a  comprehensive  plan,  0MB  believes  that  Mr.  Forman’s  leadership  of  the 
Administration’s  "Expanding  E-Government"  initiative,  including  his  work  with  interagency 
groups  such  as  the  President’s  Management  Council  and  the  Chief  Information  Officer’s 
Council,  will  address  these  potential  risks. 

0MB  commends  GAO’s  effort  to  gauge  OIRA’s  activities  in  fulfilling  our  PRA 
authorities  and  other  statutory  responsibilities.  However,  the  report  does  not  analyze  the  impact 
of  this  Administration’s  policies  and  practices  to  fulfill  our  duties  under  the  PRA  and  other 
relevant  IRM  statutes  in  a  way  that  will  lead  to  performance  improvements  in  and  across 
agencies.  We  believe  that  such  an  analysis  would  demonstrate  tliat  the  President’s 
e-Government  initiative,  and  0MB  leadership  of  strategic  plans  for  agency  work  in  the  key  areas 
of  IRM  oversight,  are  highly  effective  in  carrying  out  the  purposes  of  the  PRA. 

Specifically,  0MB  and  OIRA’s  fulfillment  of  our  responsibilities  under  the  PRA  lies  in 
our  oversight  of  agency  efforts  to  meet  the  requirements  of  the  Act.  The  reports  and  documents 
that  are  outlined  in  GAO’s  report  represent  the  tools  by  which  we  conduct  that  oversight  and  the 
means  by  which  we  establish  an  expectation  of  general  performance  improvement  across  the 
government.  Whether  this  is  done  through  many  mechanisms  or  a  single  mechanism  does  not 
detract  from  our  efforts  to  fulfill  the  requirements  of  the  Act. 

Thank  you  again  for  the  opportunity  to  comment.  0MB  looks  forward  to  continuing 
work  with  GAO  on  how  best  to  oversee  agency  work  in  this  critical  area. 

Sincerely, 

Mitchell  E.  Daniels,  Jr. 

Director 
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Related  GAO  Products 


Bioterrorism:  The  Centers  for  Disease  Control  and  Prevention’s  Role  in 
Public  Health  Protection  (GAO-02-235T,  November  15,  2001) 

Computer  Security:  Improvements  Needed  to  Reduce  Risk  to  Critical 
Federal  Operations  and  Assets  (GAO-02-231T,  November  9,  2001) 

Homeland  Security:  Challenges  and  Strategies  in  Addressing  Short-  and 
Long-Term  National  Needs  (GAO-02-160T,  November  7,  2001) 

Electronic  Government:  Better  Information  Needed  on  Agencies’ 
Implementation  of  the  Government  Paperwork  Elimination  Act  (GAO- 
01-1100,  September  28,  2001) 

Homeland  Security:  A  Framework  for  Addressing  the  Nation’s  Efforts 
(GAO-01-1158T,  September  21,  2001) 

Combating  Terrorism:  Selected  Challenges  and  Related 
Recommendations  (GAO-01-822,  September  20,  2001) 

Electronic  Government:  Challenges  Must  Be  Addressed  With  Elective 
Leadership  and  Management  (GAO-01-959T,  July  11,  2001) 

Information  Management:  Dissemination  of  Technical  Reports  (GAO-01- 
490,  May  18,  2001) 

Internet  Privacy:  Implementation  of  Federal  Guidance  for  Agency  Use  of 
“Cookies”  (GAO-01-424,  April  27,  2001) 

Paperwork  Reduction  Act:  Burden  Estimates  Continue  to  Increase  (GAO- 
01-648T,  April  24,  2001) 

Record  Linkage  and  Privacy:  Issues  in  Creating  New  Eederal  Research 
and  Statistical  Information  (GAO-01-126SP,  April  2001) 

Information  Management:  Electronic  Dissemination  of  Government 
Publications  (GAO-01-428,  March  30,  2001) 

Combating  Terrorism:  Comments  on  Counterterrorism  Leadership  and 
National  Strategy  (GAO-01-556T,  March  21,  2001) 

Information  Management:  Progress  in  Implementing  the  1996 
Electronic  Freedom  of  Information  Act  Amendments  (GAO-01-378,  March 
16,  2001) 
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High-Risk  Series:  An  Update  (GAO-01-263,  January  2001) 

Major  Management  Challenges  and  Program  Risks:  A  Govemmentwide 
Perspective  (GAO-01-241,  January  2001) 

Determining  Performance  and  Accountability  Challenges  and  High 
Risks  (GAO-01-159SP,  November  2000) 

Electronic  Government:  Opportunities  and  Challenges  Facing  the 
FirstGov  Web  Gateway  (GAO-01-87T,  October  2,  2000) 

Federal  Chief  Information  Officer:  Leadership  Needed  to  Confront 
Serious  Challenges  and  Emerging  Issues  (GAO/T-AIMD-00-316, 
September  12,  2000) 

Year  2000  Computing  Challenge:  Lessons  Learned  Can  Be  Applied  to 
Other  Management  Challenges  (GAO/AIMD-00-290,  September  12,  2000) 

Internet  Privacy:  Agencies’  Efforts  to  Implement  0MB’ s  Privacy  Policy 
(GAO/GGD-00-191,  September  5,  2000) 

Congressional  Oversight:  Challenges  for  the  21st  Century  (GAO/T-OCG- 
00-11,  July  20,  2000) 

Revisions  to  OMB’s  Circular  A-130  (GAO/AIMD-00-183R,  May  23,  2000) 

Paperwork  Reduction  Act:  Burden  Increases  at  IRS  and  Other  Agencies 
(GAO/T-GGD-00-114,  April  12,  2000) 

Office  of  Management  and  Budget:  Future  Challenges  to  Management 
(GAO/T-GGD/AIMD-00-141,  April  7,  2000) 

Managing  in  the  New  Millennium:  Shaping  a  More  Efficient  and 
Effective  Government  for  the  21st  Century  (GAO/T-OCG-00-9,  March  29, 
2000) 

Year  2000  Computing  Challenge:  Federal  Business  Continuity  and 
Contingency  Plans  and  Day  One  Strategies  (GAO/T-AIMD-00-40,  October 
29,  1999) 

Managing  for  Results:  Answers  to  Hearing  Questions  on  Quality 
Management  (GAO/GGD-99-181R,  September  10,  1999) 
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National  Archives:  Preserving  Electronic  Records  in  an  Era  of  Rapidly 
Changing  Technology  (GAO/GGD-99-94,  July  19,  1999) 

Paperwork  Reduction  Act:  Burden  Increases  and  Unauthorized 
Information  Collections  (GAO/T-GGD-99-78,  April  15,  1999) 

Government  Management:  Observations  on  0MB’ s  Management 
Leadership  Efforts  (GAO/T-GGD/AIMD-99-65,  February  4,  1999) 

Information  Security:  Serious  Weaknesses  Place  Critical  Eederal 
Operations  and  Assets  at  Risk  (GAO/AIMD-98-92,  September  23,  1998) 

Regulatory  Management:  Implementation  of  Selected  0MB 
Responsibilities  Under  the  Paperwork  Reduction  Act  (GAO/GGD-98-120, 
July  9,  1998) 

Government  Management:  Observations  on  0MB’ s  Management 
Leadership  Efforts  (GAO/T-GGD/AIMD-98-148,  May  12,  1998) 

Statistical  Agencies:  Proposed  Consolidation  and  Data  Sharing 
Legislation  (GAO/T-GGD-98-91,  March  26,  1998) 

Managing  for  Results:  Observations  on  Agencies’  Strategic  Plans 
(GAO/T-GGD-98-66,  February  12,  1998) 

Managing  for  Results:  Agencies’  Annual  Performance  Plans  Can  Help 
Address  Strategic  Planning  Challenges  (GAO/GGD-98-44,  January  30, 
1998) 

Managing  for  Results:  Observations  on  OMB’s  September  1997  Strategic 
Plan  (GAO/T-AIMD/GGD-98-10,  October  6,  1997) 

Agencies’  Strategic  Plans  Under  GPRA:  Key  Questions  to  Facilitate 
Congressional  Review  (GAO/GGD-10.1.16,  May  1997) 

Statistical  Agencies:  Consolidation  and  Quality  Issues  (GAO/T-GGD-97- 
78,  April  9,  1997) 

Managing  for  Results:  Enhancing  the  Usefulness  of  GPRA  Consultations 
Between  the  Executive  Branch  and  Congress  (GAO/T-GGD-97-56,  March 
10,  1997) 
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Information  Technology  Investment:  Agencies  Can  Improve 
Performance,  Reduce  Costs,  and  Minimize  Risks  (GAO/AIMD-96-64, 
September  30,  1996) 

Information  Management  Reform:  Effective  Implementation  Is  Essential 
for  Improving  Federal  Performance  (GAO/T-AIMD-96- 132,  July  17,  1996) 

Statistical  Agencies:  Statutory  Requirements  Affecting  Government 
Policies  and  Programs  (GAO/GGD-96-106,  July  17,  1996) 

Federal  Statistics:  Principal  Statistical  Agencies’  Missions  and  Funding 
(GAO/GGD-96-107,  July  1,  1996) 

Executive  Guide:  Effectively  Implementing  the  Government  Performance 
and  Results  Act  (GAO/GGD-96-1 18,  June  1996) 

Executive  Guide:  Improving  Mission  Performance  Through  Strategic 
Information  Management  and  Technology  (GAO/AIMD-94-115,  May 
1994) 
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GAO’s  Mission 

■ 

The  General  Accounting  Office,  the  investigative  arm  of  Congress,  exists  to 
support  Congress  in  meeting  its  constitutional  responsibilities  and  to  help 
improve  the  performance  and  accountability  of  the  federal  government  for  the 
American  people.  GAO  examines  the  use  of  public  funds;  evaluates  federal 
programs  and  policies;  and  provides  analyses,  recommendations,  and  other 
assistance  to  help  Congress  make  informed  oversight,  policy,  and  funding 
decisions.  GAO’s  commitment  to  good  government  is  reflected  in  its  core  values 
of  accountability,  integrity,  and  reliability. 

Obtaining  Copies  of 
GAO  Reports  and 
Testimony 

■ 

The  fastest  and  easiest  way  to  obtain  copies  of  GAO  documents  is  through  the 
Internet.  GAO’s  Web  site  (www.gao.gov)  contains  abstracts  and  full-text  files  of 
current  reports  and  testimony  and  an  expanding  archive  of  older  products.  The 

Web  site  features  a  search  engine  to  help  you  locate  documents  using  key  words 
and  phrases.  You  can  print  these  documents  in  their  entirety,  including  charts  and 
other  graphics. 

Each  day,  GAO  issues  a  list  of  newly  released  reports,  testimony,  and 
correspondence.  GAO  posts  this  list,  known  as  “Today’s  Reports,”  on  its  Web  site 
daily.  The  list  contains  links  to  the  full-text  document  files.  To  have  GAO  e-mail 
this  list  to  you  every  afternoon,  go  to  www.gao.gov  and  select  "Subscribe  to  daily 
e-mail  alert  for  newly  released  products"  under  the  GAO  Reports  heading. 

Order  by  Mail  or  Phone 

The  first  copy  of  each  printed  report  is  free.  Additional  copies  are  $2  each.  A 
check  or  money  order  should  be  made  out  to  the  Superintendent  of  Documents. 
GAO  also  accepts  VISA  and  Mastercard.  Orders  for  100  or  more  copies  mailed  to  a 
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